Azure Azure Backup Azure PowerShell

Azure Backup: Remove a Recovery Services vault and all cloud backup items with Azure PowerShell

A Recovery Services vault is an online storage entity used to backup workloads in or to Azure based on the Azure Resource Manager model.

Sometimes you need to delete a vault with all it’s cloud backup (protected) items, such as IaaS virtual machines (VMs) backups and backups for SQL Server databases running in those VMs.

But this is not as easy as it sounds, and this because you should know that you cannot delete a vault that contains any protected data sources or contains any backup data, or backup items in a soft deleted state.

If you try to delete the vault without removing any type of protected data sources or backup items, you will encounter one of the following error messages, depending on the way you delete the vault.

As the error message indicates, the vault is still holding some backup items.

Because it takes some time to clean up all these different cloud backup items and the Recovery services vault itself trough the Azure Portal, I always use the below Azure PowerShell script to do all the work for me.

This Azure PowerShell script will do all of the following:

  • Disable soft delete for the Azure Backup Recovery Services vault.
  • After disabling soft delete, checks if there are cloud backup items in a soft-deleted state and if so reverse the delete operation.
  • Stop protection and delete data for all cloud backup-protected items.
  • Delete the Recovery Services vault.
  • Delete the resource group holding the Recovery Services vault and the one used for the instant recovery, and this without confirmation.

At the moment the script only cleans up Azure Virtual Machine backup items. But it will be expanded later with the clean up off all other types of protected data sources and backup items.

Azure PowerShell script

To use the script copy and save it as Remove_an_Azure_Backup_Recovery_Services_vault.ps1 or download it from GitHub. First adjust all variables to your use and afterwards run the script with Administrator privileges from Windows Terminal, Windows PowerShell, Visual Studio Code or Azure Cloud Shell.



A script used to delete an Azure Backup Recovery Services vault and all cloud backup items.


A script used to delete an Azure Backup Recovery Services vault. First soft delete is disabled, and all soft-deleted backup items are reversed.
Then all cloud backup items are removed before the Recovery Services vault is removed. 
Afterwards the resource groups holding the Recovery Services vault and the one used for the instant recovery are removed.


Filename:       Remove_an_Azure_Backup_Recovery_Services_vault.ps1
Created:        17/11/2020
Last modified:  17/11/2020
Author:         Wim Matthyssen
PowerShell:     PowerShell 5.1; Azure PowerShell
Version:        Install latest Az modules
Action:         Change variables where needed to fit your needs
Disclaimer:     This script is provided "As IS" with no warranties.





## Variables

$global:currentTime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currentTime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Red"
$writeEmptyLine = "`n"
$writeSeperator = "-"
$writeSeperatorSpaces = " - "

$customerName ="myh"
$spoke = "hub"
$purpose = "backup"

$rgBackup = "rg" + $writeSeperator + $customerName + $writeSeperator + $spoke + $writeSeperator + $purpose
$rgBackupInstanRecovery = "rg" + $writeSeperator + $customerName + $writeSeperator + $spoke + $writeSeperator + $purpose + $writeSeperator + "irp" + $writeSeperator + "01"
$vaultName = "rsv" + $writeSeperator + $customerName + $writeSeperator + $spoke + $writeSeperator + "01"
$vault = Get-AzRecoveryServicesVault -ResourceGroupName $rgBackup -Name $vaultName

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Prerequisites

## Check if running as Administrator (when not running from Cloud Shell), otherwise close the PowerShell window

if ($PSVersionTable.Platform -eq "Unix") {
    Write-Host ($writeEmptyLine + "# Running in Cloud Shell" + $writeSeperatorSpaces + $currentTime)
} else {
    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
    $isAdministrator = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

    if ($isAdministrator -eq $false) {
    Write-Host ($writeEmptyLine + "# Please run PowerShell as Administrator" + $writeSeperatorSpaces + $currentTime +$writeEmptyLine)`
    -foregroundcolor $foregroundColor1
        Start-Sleep -s 4
    exit} else {
        ## Import Az module into the PowerShell session

        Import-Module Az
        Write-Host ($writeEmptyLine + "# Az module imported" + $writeSeperatorSpaces + $currentTime +$writeEmptyLine)`
        -foregroundcolor $foregroundColor1

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Disable soft delete for the Azure Backup Recovery Services vault

Set-AzRecoveryServicesVaultProperty -Vault $vault.ID -SoftDeleteFeatureState Disable

Write-Host ($writeEmptyLine + " # Soft delete disabled for Recovery Service vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if there are backup items in a soft-deleted state and reverse the delete operation

$containerSoftDelete = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $vault.ID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}

foreach ($item in $containerSoftDelete) {
    Undo-AzRecoveryServicesBackupItemDeletion -Item $item -VaultId $vault.ID -Force -Verbose

Write-Host ($writeEmptyLine + "# Undeleted all backup items in a soft deleted state in Recovery Services vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Stop protection and delete data for all backup-protected items

$containerBackup = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $vault.ID | Where-Object {$_.DeleteState -eq "NotDeleted"}

foreach ($item in $containerBackup) {
    Disable-AzRecoveryServicesBackupProtection -Item $item -VaultId $vault.ID -RemoveRecoveryPoints -Force -Verbose

Write-Host ($writeEmptyLine + "# Deleted backup date for all cloud protected items in Recovery Services vault " + $vault.Name + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Delete the Recovery Services vault

Remove-AzRecoveryServicesVault -Vault $vault -Verbose

Write-Host ($writeEmptyLine + "# Recovery Services vault " + $vault.Name + " deleted" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Delete the resource groups holding the Recovery Services vault and the one used for the instant recovery and this without confirmation

Get-AzResourceGroup -Name $rgBackup | Remove-AzResourceGroup -Force -Verbose
Get-AzResourceGroup -Name $rgBackupInstanRecovery | Remove-AzResourceGroup -Force -Verbose

Write-Host ($writeEmptyLine + "# Resource groups " + $vault.ResourceGroupName + " and " + $rgBackupInstanRecovery + " deleted" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine

## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Different steps in the script

In the script we can break down the following steps:

First of all Soft Delete is disabled for the Azure Backup Recovery Services vault.

Then the script checks if there are backup items in a soft-deleted state and if so it will reverse the delete operation.

Next it will stop protection and delete all data for the cloud backup-protected items.

When all cloud backup items are removed the Recovery Services vault is deleted.

And finally the script removes the resource group which held the Recovery Services vault and the one used for the instant recovery without confirmation.

I hope this Azure PowerShell script is useful for you whenever you need to clean up a Recovery Services vault. If you have any questions or recommendations about it, feel free to contact me through my Twitter handle or just leave a comment.

%d bloggers like this: