Edit

Share via

Configure time-based backup immutability for long-term retention backups in Azure SQL Database

Applies to: Azure SQL Database

In this article, learn how to configure time-based backup immutability for long-term retention (LTR) backups in Azure SQL Database.

Backup immutability for long-term retention backups is available in two modes: time-based immutability and legal hold immutability.

To configure time-based backup immutability for future backups, you'll create an LTR policy, enable the policy, and then lock it. Once locked, backups can't be deleted or modified until the retention period expires.

Prerequisites

  1. An active Azure subscription.
  2. An existing Azure SQL Database.
  3. Existing long-term retention (LTR) backups.

Permissions

You need to be a member of the Subscription Contributor role or higher permissions for the logical server of the Azure SQL Database to configure backup immutability for LTR backups and delete LTR backups.

For permissions to view, managed, and delete LTR backups, see Manage Azure SQL Database long-term backup retention.

Create time-based immutability policy for LTR backups

Important

Only backups taken after enabling and locking the policy will be immutable. To make existing backups immutable, instead use legal hold immutability.

To enable and lock time-based immutability from the Azure portal:

  1. Navigate to your Azure SQL Database logical server.

  2. Under Data management, navigate to the Backups tab.

  3. Select the Retention Policies tab.

  4. Choose the database.

  5. Select Configure Policies.

    Screenshot from the Azure portal of the page to manage database backups.

  6. In the Configure policies page, under LTR Immutability, check the box to Enable time-based immutability policy.

  7. Check the box to Lock the time-based immutable policy. Backups aren't immutable until the policy is locked. If you choose not to lock the policy, you'll need to manually lock backups to enable immutability.

    Screenshot from the Azure portal of the Configure policies page. The Enable time-based immutability policy and Lock time-based immutability policy checkboxes are checked.

Lock immutability for backups

You can choose to enable but not lock the time-based immutability policy.

For backups that have immutability enabled but not locked, there are two options:

  • Lock the immutability.
  • Remove immutability for each backup.

Locking immutability for specific backups can be done as follows:

To lock time-based immutability on backups from the Azure portal:

  1. Navigate to your Azure SQL Database logical server.
  2. Under Data management, navigate to the Backups tab.
  3. Go to the Manage section under Available LTR Backups.
  4. Select one or more backups that have time-based immutability enabled but not locked.
  5. Select the Lock button to apply immutability.

Remove immutability for backups

For backups that have immutability enabled but not locked, the immutability can be removed as follows:

To remove immutability on a backup from the Azure portal:

  1. Navigate to your Azure SQL Database logical server.
  2. Under Data management, navigate to the Backups tab.
  3. Go to the Manage section under Available LTR Backups.
  4. Select one or more backups that have time-based immutability enabled but not locked.
  5. Select the Disable button to remove immutability.

Disable immutability policy

Immutability can be disabled from the LTR policy configuration page in the Azure portal and PowerShell.

Once immutability is disabled, any new LTR backups from this point won't be protected from immutability. Any existing LTR backups however, will continue to be immutable, if already locked as immutable.

To disable a backup immutability policy in the Azure portal:

  1. Navigate to your Azure SQL Database logical server.
  2. Under Data management, navigate to the Backups tab.
  3. Select the Retention Policies tab.
  4. Choose the database.
  5. Select Configure Policies.
  6. Uncheck Enable time-based immutability policy.

Related content