![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 63%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Azure Backup
An Azure backup service that provides built-in management at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Jessah Alogon
Thank you for posting your query on Microsoft Q&A platform.
You can migrate from Standard to Enhanced policy, but not the other way around. Once a VM’s backup item is on Enhanced policy, there’s no supported “switch back to Standard” operation.
Soft delete is intentionally a safety net. When you delete backup data, the item enters soft‑deleted state and is kept for the configured retention (14–180 days). You can’t permanently remove those recovery points until the soft‑delete window has passed unless you follow the “undelete → delete again” path with soft delete disabled.
Vault immutability (Enabled/Locked) further blocks destructive operations. If your vault is Locked, you cannot reduce retention or delete data until the policy’s retention is met.
Enhanced → Standard is not supported, so simply “changing” the policy back fails by design. Even after you stop protection and choose “Delete backup data”, soft delete retains the item for the configured period to protect you from accidental/malicious deletion. During soft‑deleted state, expired points aren’t cleaned, and the vault can’t be deleted either.
As a resolution you have below workaround:
Option A : Wait out soft‑delete retention, then re‑protect under Standard
- Stop backup with “Delete backup data” so the item moves to soft‑deleted state.
- After the retention window ends, the data is permanently removed.
- Enable backup again for the VM and attach a Standard policy. This is the simplest path if you don’t urgently need Standard policy.
Option B : Force permanent deletion now (region/setting dependent)
If your vault/region still allows disabling soft delete (Secure‑by‑default is rolling out and in many regions you cannot toggle it), use this sequence:
- Disable soft delete on the vault (where permitted).
- Undelete the soft‑deleted backup item. This restores the item to “Stop protection (retain data)” state.
- Immediately Stop backup → Delete backup data again. With soft delete disabled, this permanently deletes recovery points right away, clearing the association.
- Re‑enable backup and attach a Standard policy.
In many public regions, soft delete is enforced and can’t be modified in the portal, enforcement is part of “Secure by default.” If enforcement applies to your vault/region, you cannot use this path and must use Option A or C.
Option C : Urgent operational workaround without losing past restore points
You can retain your Enhanced‑policy history in the current vault and start fresh under Standard in a new vault, so you’re operationally on Standard now while still keeping the old restore points for compliance/audits.
In the current vault, stop protection with retain data so the existing recovery points stay available.
Create/choose a new Recovery Services vault where you’ll host the Standard policy. Vaults themselves can be moved across RGs/subscriptions, but backup data cannot be moved between vaults, you’re going to re‑protect the VM in the new vault.
Move the VM to a temporary resource group, then enable backup in the new vault with a Standard policy. This documented trick lets Azure treat the protection association as “new” while leaving your earlier restore points in the old vault. After protection is enabled, you can move the VM back to its original RG.
Azure does not allow a single VM to be protected in two vaults at the same time. You must stop protection in the old vault first (retain data).
Keeping the old data in the original vault will incur ongoing backup storage charges until you delete it.
- If you’re not under time pressure → Use Option A (wait the retention, then re‑protect under Standard). It’s safest and simplest.
- If you urgently need Standard policy active now → Use Option C (retain data, re‑protect in a new vault with Standard after the temporary RG move). You keep historical restore points, and you’re on Standard immediately.
- If your region still allows toggling soft delete and you want to fully clear the item immediately → Use Option B (disable soft delete → undelete → delete again). Verify enforcement for your vault/region first.
Confirm soft‑delete enforcement for your vault/region (“Secure by default”) so you know whether Option B is available.
Verify vault immutability state. If Locked, you won’t be able to reduce retention or delete until expiry, plan for Option A or C.
Understand cost impact of keeping old restore points in the original vault (Option C).
Reference: https://docs.azure.cn/en-us/azure-resource-manager/management/relocation/relocation-backup
If you have any other queries, please do let us know.
Thanks,
Suchitra.