Frequently Asked Questions

Azure Backup Policy Basics

What is an Azure Backup Policy and how does it work?

An Azure Backup Policy defines how and when backups are created and retained for Azure workloads. It controls backup frequency (daily, weekly, or as often as every 4 hours for VMs), retention periods (e.g., 30 days for daily, 12 weeks for weekly), and recovery point collection. Policies can be customized or use built-in templates, and once assigned, they enforce consistent data protection and simplify disaster recovery. Note: Each policy is scoped to a specific Recovery Services vault and has a limit on the number of items it can protect (e.g., 100 VMs per policy). Source

What are the main benefits of using Azure Backup Policies?

Azure Backup Policies provide automated, consistent backup scheduling, granular recovery points, and support for compliance with regulations like GDPR, HIPAA, and ISO 27001. They help optimize storage costs by allowing older backups to be moved to archive tiers and automate onboarding of new resources. Note: Policy-based automation reduces manual errors but requires careful configuration to avoid gaps in protection. Source

Scheduling, Retention & Recovery

How often can Azure backups be scheduled and what are the retention options?

Azure Backup Policies allow backups as frequently as every 4 hours for VMs (using Enhanced policies), and as often as every 15 minutes for workloads like SQL Server or SAP HANA. Retention can be set for daily, weekly, monthly, and yearly backups (e.g., daily for 30 days, weekly for 12 weeks, monthly for 60 months, yearly for 10 years). Note: The minimum supported schedule is one backup per week; scheduled backups cannot be entirely disabled. Source

What is Recovery Point Collection (RPC) in Azure Backup?

Recovery Point Collection (RPC) is a feature of Enhanced backup policies for Azure VMs that enables snapshot-based backups with crash consistency. It allows multiple recovery points per day without running a full VM backup each time, improving recovery speed. Snapshots are stored in the same storage account as the VM and are consolidated into less frequent full recovery points as per policy. Note: RPC is only available with Enhanced policies and may not be supported for all VM types. Source

Can I create on-demand backups in Azure, and how are they managed?

Yes, Azure Backup supports on-demand (ad-hoc) backups in addition to scheduled backups. These can be triggered via the Azure portal, PowerShell, CLI, or REST API. Each on-demand backup requires a specified retention duration. Note: Retention rules from the main policy do not apply to ad-hoc backups; they must be managed separately to avoid unnecessary storage costs. Source

Security, Compliance & Governance

How do Azure Backup Policies help with compliance and security?

Azure Backup Policies enforce retention rules to meet regulatory requirements (e.g., GDPR, HIPAA, ISO 27001) and support long-term data preservation. Features like immutable vaults prevent deletion of recovery points, and Azure Policy integration enables monitoring and enforcement of backup configurations for audit readiness. Note: Immutability and retention lock must be explicitly enabled and cannot be overridden once set. Source

What security features are available for Azure backups?

Azure Backup supports encryption in transit and at rest, with Microsoft-managed keys by default and the option for customer-managed keys via Azure Key Vault. Soft-delete is enabled by default, retaining deleted backup data for 14 days at no cost. Multi-user authorization (MUA) can be enabled to require approval for critical operations. Note: Not all features (e.g., MUA, customer-managed keys) are enabled by default and require explicit configuration. Source

Cost Optimization & Automation

How can Azure Backup Policies help optimize backup storage costs?

Retention settings in Azure Backup Policies allow organizations to move older backups to less expensive archive tiers, exclude nonessential disks, and adjust schedules for less critical workloads. Lifecycle policies can be used to automate these transitions. Note: Cost savings depend on correct policy configuration and regular review of backup needs. Source

How does N2W enhance Azure backup policy automation and cost management?

N2W extends Azure Backup Policy automation by enabling cross-cloud lifecycle policies, archiving backup data to Azure Blob, AWS S3, or Wasabi with per-VM retention rules—no scripting required. N2W provides unified management of backups across Azure, AWS, and Wasabi from a single dashboard, and can reduce long-term backup costs by over 80% by leveraging tiered storage. Note: N2W's advanced features require deployment and may not be available in native Azure Backup alone. Source

Advanced Features & Integration

What advanced features does N2W offer for Azure backup management?

N2W offers features such as automated lifecycle policies, unified cross-cloud backup management, faster recovery (including multi-generation restore points and agentless SQL backup), and cross-cloud disaster recovery (DR) for air-gapped protection. Selective disk backup and restore, support for trusted launch VMs, Premium SSD v2, Ultra SSD, and zonal redundancy are also available. Note: Migration from standard to enhanced policy is in preview and may not be generally available. Source

How does N2W compare to native Azure Backup and AWS Backup?

N2W provides immutable backups, cross-cloud recovery (Azure and AWS), granular restore (file/folder-level), custom DR retention policies, and multi-tenancy support—features not available in AWS Backup or native Azure Backup alone. N2W also offers a RESTful API for automation, integrations with Datadog and Splunk, and cost-saving features like intelligent storage tiering. Note: Native Azure Backup does not support cross-cloud recovery or unified management across multiple clouds. Source

Implementation & Support

How long does it take to implement N2W for Azure backup automation?

N2W implementations can be completed in as little as two weeks, supported by dedicated Customer Success Managers, onboarding calls, and detailed documentation. A 30-day free trial is available without a credit card. Note: Implementation time may vary based on environment complexity and organizational requirements. Source

What technical documentation and support resources are available for N2W and Azure backup integration?

N2W provides a comprehensive user guide, release notes, RESTful API documentation, upgrade guides, and IAM permission files for secure deployment. Resources include video tutorials, a knowledge base, and onboarding support. Note: Some advanced features may require consultation with N2W support for optimal configuration. Source

Limitations & Best Practices

What are the limitations of Azure Backup Policies and N2W automation?

Azure Backup Policies are scoped to a specific vault and have limits on the number of protected items (e.g., 100 VMs per policy). Scheduled backups cannot be fully disabled (minimum is one per week). Migration from standard to enhanced policy is in preview. N2W advanced features require deployment and may not be available in native Azure Backup. For detailed limitations, consult the official documentation or contact N2W support. Source

Azure Backup Policy: How It Works, Examples and a Tutorial

In this guide, we break down how to use Azure Backup policies, immutable vaults, and recovery point collection like a pro—plus, how N2W can optimize the process.
Share post:

What Is an Azure Backup Policy? 

Azure backup policies define how and when backups are created and retained for various Azure workloads. They control the frequency, retention periods, and other aspects of backup management, allowing for tailored data protection strategies. These policies dictate the schedule for creating backups, the duration they are stored, and the recovery point collection settings.

Administrators can create custom backup policies based on organizational requirements, or use Azure’s built-in templates. Once assigned to resources, the policy-driven approach enforces consistent data protection, reducing the risk of human error and simplifying disaster recovery processes.

There are several important aspects to understand when working with Azure backup policies:

  • Schedule: Backup policies define the frequency of backups, allowing for options like daily, weekly, monthly, or even more frequent backups (e.g., every 4 hours for VMs). 
  • Retention: Policies specify how long backups are retained, with options for daily, weekly, monthly, and yearly backups. For example, daily backups might be retained for 30 days, while weekly backups could be retained for 12 weeks. 
  • Recovery Point Collection (RPC): In the case of Enhanced policies for VMs, RPCs manage snapshots for instant recovery, allowing for quick data restoration. 
  • On-demand backups: Users can create backups on demand in addition to scheduled backups, allowing for more flexibility. 
  • Immutable vaults: Azure Backup supports immutable vaults, ensuring that recovery points cannot be deleted prematurely, protecting backups against ransomware and other malicious actors. 
  • Azure Policy integration: Azure Policy can be used to enforce organizational standards and assess compliance, including enforcing backup policies for VMs and other resources.

Azure backup policies provide the following benefits for organizations:

  • Data protection: Ensures data is backed up regularly and retained for the necessary duration, protecting against data loss due to hardware failures, accidental deletions, or disasters. 
  • Compliance: Enables compliance with industry regulations and organizational requirements. 
  • Cost optimization: Allows for optimizing backup storage costs by setting appropriate retention periods and moving older backups to less expensive storage tiers. 
  • Automation: Automates the backup process, reducing manual effort and improving consistency.

In this article:

Benefits of Using Azure Backup Policies 

Azure backup policies offer a structured and automated way to manage backups across Azure resources. Here’s an overview of the key benefits.

Data Protection

Azure backup policies ensure workloads are backed up on consistent schedules, minimizing risks from deletions, hardware failures, or ransomware. Granular recovery points support point-in-time restores, and features like instant restore for VMs enable rapid recovery. Immutable vaults prevent tampering or premature deletion of recovery points.

Compliance

Backup policies enforce retention rules to meet regulatory requirements such as GDPR, HIPAA, and ISO 27001. Long-term retention of monthly and yearly recovery points supports multi-year data preservation. Azure Policy integration enables monitoring and enforcement of backup configurations across resources for audit readiness.

Cost Optimization

Retention settings can be customized to balance protection and cost, with short-term backups kept in standard storage and long-term backups moved to archive tiers. Administrators can exclude nonessential disks and adjust schedules for less critical workloads to reduce storage and operational costs.

Related content: read our guide to Azure Backup Pricing

Automation

Backup schedules and retention rules are applied automatically to resources, reducing manual intervention and errors. Policies can onboard new VMs based on tags or resource groups, and Azure Policy ensures ongoing compliance, simplifying backup management at scale.

Key Aspects of Azure Backup Policies 

Schedule

In Azure Backup, the schedule defines how often recovery points are created. For Azure virtual machines (VMs), standard policies support daily and weekly backup schedules, while Enhanced policies allow for multiple daily backups—up to every 4 hours. 

For workloads like SQL Server or SAP HANA running on Azure VMs, backups can be scheduled as frequently as every 15 minutes using the Azure Backup extension. File shares support daily or weekly backup schedules, and admins can specify the exact time of day for each job, with timezone awareness to align with workload requirements.

A backup schedule determines the frequency and timing of backup jobs. Schedules can be set to trigger backups daily, weekly, or multiple times per day to meet recovery point objectives (RPO).

Retention

Retention rules in Azure Backup policies determine how long each recovery point is kept. Policies support retention for daily, weekly, monthly, and yearly backups, allowing organizations to meet short- and long-term retention requirements. 

For example, admins can configure a policy to retain daily backups for 30 days, weekly backups for 12 weeks, monthly backups for 60 months, and yearly backups for 10 years. Retention can also leverage tiered storage: older recovery points may be moved automatically from the Recovery Services vault to the Azure Archive tier for cost savings.

Recovery Point Collection (RPC)

With Enhanced backup policies for Azure VMs, Recovery Point Collection (RPC) enables snapshot-based backups with crash consistency. RPC allows Azure Backup to take multiple recovery points throughout the day without running a full VM backup every time. 

These snapshots are stored in the same storage account as the VM, providing relatively rapid recovery capability while Azure Backup manages their lifecycle. Older snapshots are consolidated into less frequent full recovery points as per the policy settings.

On-Demand Backups

In addition to scheduled backups, Azure Backup supports ad-hoc, on-demand backups. Administrators can trigger these backups from the Azure portal, PowerShell, Azure CLI, or REST API. 

On-demand backups require specifying a retention duration (e.g., retain for 7 days or retain until a specific date) to avoid cluttering the vault with unnecessary recovery points. This is useful for scenarios like pre-patch snapshots or before major application upgrades.

Immutable Vaults

Azure Backup supports enabling immutability on Recovery Services vaults. When immutability is turned on, recovery points are protected from any deletion, including accidental or malicious deletions by users with vault access. Immutable vaults enforce write-once, read-many (WORM) semantics and support retention lock to ensure compliance with regulatory requirements. Even administrators cannot override immutability once configured.

Azure Policy Integration 

Azure Policy can enforce the presence and configuration of backup policies across subscriptions and resource groups. For example, an organization can deploy a policy that ensures all Azure VMs in a specific scope are backed up to a Recovery Services vault with a defined policy. 

Built-in policy definitions such as “Audit virtual machines without disaster recovery configured” help identify non-compliant resources. Admins can combine Azure Policy with automated assignment of backup policies when new VMs are provisioned.

Azure Backup Built-In Policy Examples 

Azure provides a set of built-in backup policies that simplify the deployment and enforcement of standardized data protection practices across environments. These policies help organizations manage backups based on resource tags, vault configurations, and security requirements. Below are some key examples:

1. Configure VM Backups to a New Recovery Services Vault

This policy targets virtual machines (VMs) with specific tags and automatically backs them up to a newly created Recovery Services vault located in the same resource group. It’s suitable for distributed teams where each group is responsible for its own resource protection.

2. Configure VM Backups to an Existing Vault

This policy enforces backup of all tagged VMs to an existing vault within the same region. It supports centralized management, allowing a shared operations team to maintain consistent backup practices across a subscription.

3. Configure Tagless VM Backups to a New Vault

For VMs without any tags, this policy deploys a new vault in the same resource group and location as the VM. It gives individual application teams control over the backup configuration without relying on a tagging strategy.

4. Configure Tagless VM Backups to an Existing Vault

This policy routes untagged VMs to an existing central vault, enabling a subscription-wide backup strategy. It is particularly useful when a centralized operations team is responsible for ensuring all VMs are protected, regardless of tagging.

5. Use Customer-Managed Keys to Encrypt Backup Data

By default, Azure uses service-managed keys for encryption. This policy enables the use of customer-managed keys stored in Azure Key Vault. It provides greater control over encryption and helps meet compliance requirements that mandate user-controlled cryptographic keys.

6. Use Azure Private Link for Backup Services

This policy enables secure, private connectivity between the network and Azure Backup services, eliminating the need for public IP addresses. By using Azure Private Link, data transfer paths are restricted to the Microsoft backbone network.

7. Configure Private Endpoints for Backup Vaults

Similar to Private Link, this policy configures private endpoints for Recovery Services vaults. It ensures that access to backup data is restricted to authorized private network interfaces.

Tips from the Expert
Picture of Adam Bertram
Adam Bertram
Adam Bertram is a 20-year veteran of IT. He’s an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam focuses on DevOps, system management, and automation technologies as well as various cloud platforms. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam’s articles at adamtheautomator.com, connect on LinkedIn or follow him on X at @adbertram.

Tutorial: Backup an Azure VM Using Enhanced Policy 

To back up an Azure virtual machine using the Enhanced policy, follow the steps below in the Azure portal. Enhanced policies offer features such as higher backup frequency, zonal resiliency, and longer snapshot retention in the operational tier.

  1. Select a recovery services vault
    Open the Azure portal and choose a Recovery Services vault that will manage the VM backup.
  2. Navigate to backup policies
    In the selected vault, go to the Backup section and select Backup Policies. Click on +Add to create a new policy.
Screenshot of setting up an Azure backup policy
  1. Choose the policy type
    When prompted to select a policy type, choose Azure Virtual Machine. Then, under Policy sub-type, select Enhanced to enable the new policy capabilities.
Creating an Azure Backup Policy screenshot
  1. Configure backup schedule
    Users can configure the schedule to back up the VM hourly, daily, or weekly. Hourly schedules allow a minimum recovery point objective (RPO) of 4 hours, with available intervals of 4, 6, 8, 12, or 24 hours. For example, a policy set to back up every 4 hours over a 24-hour period results in 6 snapshots per day.
  2. Set instant restore retention
    Choose how long to retain snapshots in the operational tier. This can range from 1 to 30 days. The default is 7 days. Note that the number of snapshots per day affects the allowed retention period—more frequent snapshots reduce the maximum retention window.
  3. Customize retention settings
    The policy auto-populates default retention for daily (180 days), weekly (12 weeks), monthly (60 months), and yearly (10 years) backup points. Users can adjust these settings as needed.
  4. Finalize and create the policy
    Review the configuration and click Create to deploy the Enhanced policy. Once created, assign the policy to the VM to begin scheduled backups.
Setting up the policy schedule screenshot

Source: Microsoft

Additional capabilities

  • Enhanced policy supports trusted launch VMs, Premium SSD v2, Ultra SSD, and zonal redundancy through Zone-redundant storage (ZRS).
  • Selective disk backup and restore is supported. Users can exclude noncritical data disks to reduce backup costs and restore times.
  • VMs with public network access disabled are also supported for backup.
  • Migration from standard to enhanced policy is available in preview, allowing existing protected VMs to benefit from these features.

Azure Backup Policy Best Practices 

Here are some of the ways that organizations can ensure the most effective use of Azure backup policies.

1. Schedule Considerations

When designing backup schedules, it’s important to align the backup frequency with the criticality of the workload. For mission-critical resources, configure the highest available backup frequency to reduce recovery point objectives (RPO). For example, enhanced policies support backups every 4 hours.

To reduce the impact on production workloads, schedule backups during non-peak hours—such as between 2–3 AM. Additionally, to avoid network congestion and performance issues when backing up many virtual machines, stagger backup jobs by creating separate policies. For example, if backing up 500 VMs, consider creating five policies, each assigned to 100 VMs and spaced a few hours apart.

Grouping resources that share the same backup schedule, start time, and retention configuration under a single policy helps maintain consistency and reduces configuration complexity.

2. Retention Considerations

Backup retention falls into two categories: short-term (daily backups) and long-term (weekly, monthly, yearly backups). Use long-term retention when you know in advance that data needs to be stored for extended periods due to compliance or regulatory mandates. Azure Backup supports storing long-term recovery points in the archive tier to optimize storage costs.

On-demand backups can have their own custom retention settings, independent of the policy. This is useful when backups are needed outside the regular schedule, such as before applying critical updates. Note that retention rules defined in the policy do not apply to these ad hoc backups.

3. Optimize Backup Policy

Backup policies should be revisited periodically to align with evolving business requirements. If you increase retention duration, existing recovery points are preserved under the new rule. If you reduce it, older recovery points are marked for deletion in the next cleanup cycle.

When decommissioning resources, consider stopping protection while retaining backup data. This retains existing recovery points for future restore operations. Alternatively, stopping protection and deleting backup data removes all recovery points and disables restores.

Remember that a policy is scoped to a specific vault, and each policy has a limit on the number of items (e.g., 100 VMs). Use multiple policies to scale protection. Note that scheduled backups cannot be entirely disabled; the minimum supported schedule is one backup per week.

4. Security Considerations

Security in Azure Backup includes identity management, encryption, and protection from accidental or malicious deletion.

Use Azure role-based access control (RBAC) to enforce least-privilege access. Assign built-in roles like Backup Contributor, Operator, and Reader to segregate duties and limit permissions based on user responsibilities. For example, monitoring personnel should not have permissions to modify or delete backup data.

Backup data is encrypted both in transit and at rest. Azure uses Microsoft-managed keys by default but supports customer-managed keys for organizations with stricter encryption requirements.

Soft-delete is enabled by default and retains deleted backup data for 14 additional days at no cost, offering protection against accidental or malicious deletion. To prevent tampering with this feature, enable multi-user authorization (MUA), which requires approval from a security administrator before critical operations like disabling soft-delete can proceed.

5. Governance Considerations

Governance can be enforced using Azure Policy to ensure backup coverage and compliance at scale. Admins can automatically enable backups for new virtual machines based on resource tags or groupings, ensuring that no resource is left unprotected.

Use built-in policies to auto-enable backups based on organizational ownership models—either centrally managed or delegated to application teams. For compliance tracking, implement audit-only policies that detect resources without backup configured.

Monitoring policies can also configure diagnostic settings for all vaults to send logs to Log Analytics, supporting large-scale visibility and compliance tracking. These governance tools ensure consistent protection and help meet regulatory and operational standards across the Azure environment.

Automating Azure Backup with N2W

Azure Backup Policies help enforce retention rules—but N2W takes it a step further with cross-cloud automation, cost optimization, and faster recovery from a single console.

  • Automated Lifecycle Policies: Archive backup data to Azure Blob, AWS S3, or Wasabi with per-VM retention rules—no scripts needed.
  • Unified Management: Manage backups across Azure, AWS, and Wasabi in one dashboard—no toggling or duplication.
  • Faster Recovery: Restore entire VMs or specific files in seconds, with multi-generation restore points and agentless SQL backup.
  • Cross-Cloud DR: Copy backups between regions and platforms for air-gapped protection—ideal for compliance or ransomware resilience.
  • Major reduction in long-term backup costs (over 80%): by eliminating high and unpredictable licensing fees and using cheaper, tiered Azure Blob storage for backups

Want smarter backup policies—without more manual work?

🎯 Start your free 30-day trial and automate your Azure backup lifecycle with N2W.

You might also like