Azure Azure Backup Azure PowerShell

Azure Backup: Delete a Recovery Services vault and all cloud backup items with Azure PowerShell



A Recovery Services vault is an online storage entity used to backup workloads in or to Azure based on the Azure Resource Manager model.

Sometimes you need to delete a vault with all it’s cloud backup (protected) items, such as IaaS virtual machines (VMs) backups and backups for SQL Server databases running in those VMs.

But this is not as easy as it sounds, and this because you should know that you cannot delete a vault that contains any protected data sources or contains any backup data, or backup items in a soft deleted state.

If you try to delete the vault without removing any type of protected data sources or backup items, you will encounter one of the following error messages, depending on the way you delete the vault.


As the error message indicates, the vault is still holding some backup items.


Because it takes some time to clean up all these different cloud backup items and the Recovery services vault itself trough the Azure Portal, I always use the below Azure PowerShell script to do all the work for me.

This Azure PowerShell script will do all of the following:

  • Check if the PowerShell window is running as Administrator (which is a requirement), otherwise the Azure PowerShell script will be exited.
  • Disable soft delete for the Azure Backup Recovery Services vault.
  • After disabling soft delete, checks if there are cloud backup items in a soft-deleted state and if so reverse the delete operation.
  • Stop protection and delete data for all cloud backup-protected items.
  • Delete the Recovery Services vault.
  • Delete the resource group holding the Recovery Services vault and the one used for the instant recovery, and this without confirmation.


To use the script copy and save it as Delete-an-Azure-Backup-RecoveryServices-vault.ps1 or download it from GitHub. Then before using the script, adjust all variables to your use (you can find an adjusted example in a screenshot below) and then run the customized script with Administrator privileges from Windows TerminalVisual Studio Code, or Windows PowerShell. Or you can simply run it from Cloud Shell.


Azure PowerShell script

If you are not running the script from Cloud Shell, don’t forget to sign in with the Connect-AzAccount cmdlet to connect your Azure account. And if you are using multiple Azure subscriptions, select the proper subscription with the Get-AzSubscription cmdlet before running the script.


<#

.SYNOPSIS

A script used to delete an Azure Backup Recovery Services vault and all cloud backup items.

.DESCRIPTION

A script used to delete an Azure Backup Recovery Services vault. 
First of all the script will check if PowerShell runs as an Administrator (when not running from Cloud Shell), otherwise the script will be exited as this is required.
Next soft delete is disabled for the selected , and all soft-deleted backup items are reversed.
Then all cloud backup items are removed before the Recovery Services vault is removed. 
Afterwards the resource groups holding the Recovery Services vault and the one used for the instant recovery are deleted.

.NOTES

Filename:       Delete-an-Azure-Backup-RecoveryServices-vault.ps1
Created:        17/11/2020
Last modified:  19/10/2021
Author:         Wim Matthyssen
PowerShell:     Azure PowerShell or Azure Cloud Shell
Version:        Install latest Azure PowerShell modules 
Action:         Change variables where needed to fit your needs
Disclaimer:     This script is provided "As Is" with no warranties.

.EXAMPLE

.\Delete-an-Azure-Backup-RecoveryServices-vault.ps1

.LINK

https://wmatthyssen.com/2020/11/17/azure-backup-remove-a-recovery-services-vault-and-all-cloud-backup-items-with-azure-powershell/
#>

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Variables

$rgBackup = #<your Recovery Services vault rg here> The Azure resource group in which the Recovery Services vault is stored. Example: "rg-hub-myh-backup"
$rgBackupInstanRecovery = #<your Instant restore rg here> The Azure resource group in which the instant recovery snapshots are stored. Example: "rg-hub-myh-backup-irp-01"
$vaultName = #<your Recovery Services vault name here> The name of the recovery Service vault resource you want to delete. Example: "rsv-bck-hub-myh-weu-01"
$vault = Get-AzRecoveryServicesVault -ResourceGroupName $rgBackup -Name $vaultName

$global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Red"
$foregroundColor2 = "Yellow"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if PowerShell runs as Administrator (when not running from Cloud Shell), otherwise exit the script

if ($PSVersionTable.Platform -eq "Unix") {
    Write-Host ($writeEmptyLine + "# Running in Cloud Shell" + $writeSeperatorSpaces + $currentTime)`
    -foregroundcolor $foregroundColor1 $writeEmptyLine
    
    # Start script execution    
    Write-Host ($writeEmptyLine + "# Script started. Depending on the amount of backup data it can take some time to complete" + $writeSeperatorSpaces + $currentTime)`
    -foregroundcolor $foregroundColor1 $writeEmptyLine 
} else {
    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
    $isAdministrator = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

        # Check if running as Administrator, otherwise exit the script
        if ($isAdministrator -eq $false) {
        Write-Host ($writeEmptyLine + "# Please run PowerShell as Administrator" + $writeSeperatorSpaces + $currentTime)`
        -foregroundcolor $foregroundColor1 $writeEmptyLine
        Start-Sleep -s 3
        exit
        }
        else {

        # If running as Administrator, start script execution    
        Write-Host ($writeEmptyLine + "# Script started. Depending on the amount of backup data it can take some time to complete" + $writeSeperatorSpaces + $currentTime)`
        -foregroundcolor $foregroundColor1 $writeEmptyLine 
        }
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Suppress breaking change warning messages

Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Disable soft delete for the Azure Backup Recovery Services vault

Set-AzRecoveryServicesVaultProperty -Vault $vault.ID -SoftDeleteFeatureState Disable

Write-Host ($writeEmptyLine + " # Soft delete disabled for Recovery Service vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if there are backup items in a soft-deleted state and reverse the delete operation

$containerSoftDelete = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $vault.ID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}

foreach ($item in $containerSoftDelete) {
    Undo-AzRecoveryServicesBackupItemDeletion -Item $item -VaultId $vault.ID -Force -Verbose
}

Write-Host ($writeEmptyLine + "# Undeleted all backup items in a soft deleted state in Recovery Services vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Stop protection and delete data for all backup-protected items

$containerBackup = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $vault.ID | Where-Object {$_.DeleteState -eq "NotDeleted"}

foreach ($item in $containerBackup) {
    Disable-AzRecoveryServicesBackupProtection -Item $item -VaultId $vault.ID -RemoveRecoveryPoints -Force -Verbose
}

Write-Host ($writeEmptyLine + "# Deleted backup date for all cloud protected items in Recovery Services vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Delete the Recovery Services vault

Remove-AzRecoveryServicesVault -Vault $vault -Verbose

Write-Host ($writeEmptyLine + "# Recovery Services vault " + $vault.Name + " deleted" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Delete the resource groups holding the Recovery Services vault and the one used for the instant recovery and this without confirmation

Get-AzResourceGroup -Name $rgBackup | Remove-AzResourceGroup -Force -Verbose
Get-AzResourceGroup -Name $rgBackupInstanRecovery | Remove-AzResourceGroup -Force -Verbose

Write-Host ($writeEmptyLine + "# Resource groups " + $vault.ResourceGroupName + " and " + $rgBackupInstanRecovery + " deleted" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script completed

Write-Host ($writeEmptyLine + "# Script completed" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Different steps in the script

In the script we can break down the following steps:

First of all Soft Delete is disabled for the Azure Backup Recovery Services vault.


Then the script checks if there are backup items in a soft-deleted state and if so it will reverse the delete operation.


Next it will stop protection and delete all data for the cloud backup-protected items.


When all cloud backup items are removed the Recovery Services vault is deleted.


And finally the script removes the resource group which held the Recovery Services vault and the one used for the instant recovery without confirmation.



I hope this Azure PowerShell script is useful for you whenever you need to clean up and delete a Recovery Services vault and all it’s cloud backup items.

If you have any questions or recommendations about it, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment.


3 comments on “Azure Backup: Delete a Recovery Services vault and all cloud backup items with Azure PowerShell

  1. Pingback: Latest Cloud News: Apple On K8s, IoT, Microsoft Pluton And More! (November 20, 2020 – Build5Nines Weekly) | Build5Nines

  2. Pingback: Festive Tech Calendar 2020: Let’s help to get your Azure Backup implementation under control – Wim Matthyssen

  3. Thank you! This saved me tons of time today!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: