Changes after review

David Curwin · David Curwin · commit 1c4f615d880d · 2020-05-04T13:40:18.000+03:00
diff --git a/articles/backup/backup-azure-security-feature-cloud.md b/articles/backup/backup-azure-security-feature-cloud.md
@@ -8,56 +8,20 @@ ms.date: 04/30/2020
 
 Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect backup data even after deletion.
 
-One such feature is soft delete. With soft delete, even if a malicious actor deletes the backup of a VM (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days retention of backup data in the "soft delete" state don't incur any cost to the customer.
+One such feature is soft delete. With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days retention of backup data in the "soft delete" state don't incur any cost to the customer.
 
-[Soft delete protection for Azure virtual machines](soft-delete-virtual-machines.md) is available to everyone.
+[Soft delete protection for Azure virtual machines](soft-delete-virtual-machines.md) and [Soft delete for SQL server in Azure VM and soft delete for SAP HANA in Azure VM workloads](soft-delete-sql-saphana-in-azure-vm.md) are available to everyone.
 
->[!NOTE]
->[Soft delete for SQL server in Azure VM and soft delete for SAP HANA in Azure VM workloads](soft-delete-sql-saphana-in-azure-vm.md) is now available in preview.<br>
->To sign up for the preview, write to us at AskAzureBackupTeam@microsoft.com
+This flow chart shows the different steps and states of a backup item when Soft Delete is enabled:
 
-## Frequently asked questions
-
-### Do I need to enable the soft-delete feature on every vault?
-
-No, it's built and enabled by default for all the recovery services vaults.
-
-### Can I configure the number of days for which my data will be retained in soft-deleted state after delete operation is complete?
-
-No, it's fixed to 14 days of additional retention after the delete operation.
-
-### Do I need to pay the cost for this additional 14-day retention?
+![Lifecycle of soft-deleted backup item](./media/backup-azure-security-feature-cloud/lifecycle.png)
 
-No, this 14-day additional retention comes for free of cost as a part of soft-delete functionality.
-
-### Can I perform a restore operation when my data is in soft delete state?
-
-No, you need to undelete the soft deleted resource in order to restore. The undelete operation will bring the resource back into the **Stop protection with retain data state** where you can restore to any point in time. Garbage collector remains paused in this state.
-
-### Will my snapshots follow the same lifecycle as my recovery points in the vault?
-
-Yes.
-
-### How can I trigger the scheduled backups again for a soft-deleted resource?
-
-Undelete followed by resume operation will protect the resource again. Resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume operation completes. If you wish to perform a restore from a recovery point that is past its expiry date, you're advised to do it before triggering the resume operation.
-
-### Can I delete my vault if there are soft deleted items in the vault?
-
-The Recovery Services vault can't be deleted if there are backup items in soft-deleted state in the vault. The soft-deleted items are permanently deleted 14 days after the delete operation. If you can't wait for 14 days, then [disable soft delete](#disabling-soft-delete), undelete the soft deleted items, and delete them again to permanently get deleted. After ensuring there are no protected items and no soft deleted items, the vault can be deleted.  
-
-### Can I delete the data earlier than the 14 days soft-delete period after deletion?
-
-No. You can't force delete the soft-deleted items, they're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes.  You should wait for 14 day before performing any other action on the VM.  Soft-deleted items won' be charged.  If you need reprotecting the VMs marked for soft-delete within 14 days to a new vault, then contact Microsoft support.
-
-### Can soft delete operations be performed in PowerShell or CLI?
-
-Soft delete operations can be performed using PowerShell. Currently, CLI is not supported.
-
-## Disabling soft delete
+## Enabling and disabling soft delete
 
 Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes.  Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only the vault owner can disable this feature. If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.
 
+ It's important to remember that once soft delete is disabled, the feature is disabled for all the types of workloads, including virtual machines. For example, once the preview is enabled for a subscription it is not possible to disable soft delete only for SQL server or SAP HANA DBs while keeping it enabled for virtual machines in the same vault. You can create separate vaults for granular control.
+
 ### Disabling soft delete using Azure portal
 
 To disable soft delete, follow these steps:
@@ -98,10 +62,11 @@ Backup data in soft deleted state prior disabling this feature, will remain in s
 
 Follow these steps:
 
-1. Follow the steps to [disable soft delete](#disabling-soft-delete).
-2. In the Azure portal, go to your vault, go to **Backup Items**, and choose the soft deleted VM.
+1. Follow the steps to [disable soft delete](#enabling-and-disabling-soft-delete).
+
+2. In the Azure portal, go to your vault, go to **Backup Items**, and choose the soft deleted item.
 
-   ![Choose soft deleted VM](./media/backup-azure-security-feature-cloud/vm-soft-delete.png)
+   ![Choose soft deleted item](./media/backup-azure-security-feature-cloud/vm-soft-delete.png)
 
 3. Select the option **Undelete**.
 
@@ -166,6 +131,44 @@ If items were deleted before soft-delete was disabled, then they will be in a so
 2. Then disable the soft-delete functionality using REST API using the steps mentioned [here](use-restapi-update-vault-properties.md#update-soft-delete-state-using-rest-api).
 3. Then delete the backups using REST API as mentioned [here](backup-azure-arm-userestapi-backupazurevms.md#stop-protection-and-delete-data).
 
+## Frequently asked questions
+
+### Do I need to enable the soft-delete feature on every vault?
+
+No, it's built-in and enabled by default for all the recovery services vaults.
+
+### Can I configure the number of days for which my data will be retained in soft-deleted state after the delete operation is complete?
+
+No, it's fixed to 14 days of additional retention after the delete operation.
+
+### Do I need to pay the cost for this additional 14-day retention?
+
+No, this 14-day additional retention comes free of cost as a part of soft-delete functionality.
+
+### Can I perform a restore operation when my data is in soft delete state?
+
+No, you need to undelete the soft deleted resource in order to restore. The undelete operation will bring the resource back into the **Stop protection with retain data state** where you can restore to any point in time. Garbage collector remains paused in this state.
+
+### Will my snapshots follow the same lifecycle as my recovery points in the vault?
+
+Yes.
+
+### How can I trigger the scheduled backups again for a soft-deleted resource?
+
+Undelete followed by a resume operation will protect the resource again. The resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume operation completes. If you wish to perform a restore from a recovery point that is past its expiration date, you're advised to do it before triggering the resume operation.
+
+### Can I delete my vault if there are soft deleted items in the vault?
+
+The Recovery Services vault can't be deleted if there are backup items in soft-deleted state in the vault. The soft-deleted items are permanently deleted 14 days after the delete operation. If you can't wait for 14 days, then [disable soft delete](#enabling-and-disabling-soft-delete), undelete the soft deleted items, and delete them again to permanently get deleted. After ensuring there are no protected items and no soft deleted items, the vault can be deleted.  
+
+### Can I delete the data earlier than the 14 days soft-delete period after deletion?
+
+No. You can't force delete the soft-deleted items. They're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes.  You should wait for 14 days before performing any other action on the item.  Soft-deleted items won't be charged.  If you need to reprotect the items marked for soft-delete within 14 days in a new vault, then contact Microsoft support.
+
+### Can soft delete operations be performed in PowerShell or CLI?
+
+Soft delete operations can be performed using PowerShell. Currently, CLI is not supported.
+
 ## Next steps
 
 - [Overview of security features in Azure Backup](security-overview.md)
diff --git a/articles/backup/backup-create-rs-vault.md b/articles/backup/backup-create-rs-vault.md
@@ -116,7 +116,7 @@ We highly recommend you review the default settings for **Storage Replication ty
 
 - **Storage Replication type** by default is set to **Geo-redundant**. Once you configure the backup, the option to modify is disabled. Follow these [steps](https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-storage-redundancy) to review and modify the settings.
 
-- **Soft delete** by default is **Enabled** on newly created vaults to protect backup data from accidental or malicious deletes. Follow these [steps](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#disabling-soft-delete) to review and modify the settings.
+- **Soft delete** by default is **Enabled** on newly created vaults to protect backup data from accidental or malicious deletes. Follow these [steps](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#enabling-and-disabling-soft-delete) to review and modify the settings.
 
 ## Next steps
 
diff --git a/articles/backup/soft-delete-sql-saphana-in-azure-vm.md b/articles/backup/soft-delete-sql-saphana-in-azure-vm.md
@@ -72,20 +72,14 @@ These instructions also apply to SAP HANA in Azure VM.
 
    ![Undelete warning](./media/soft-delete-sql-saphana-in-azure-vm/undelete-warning.png)
 
-5. At this point, you can also restore the VM by selecting **Restore VM** from the chosen restore point.
+5. At this point, you can also restore the data by selecting **Restore VM** for the chosen restore point.
 
    ![Restore VM](./media/soft-delete-sql-saphana-in-azure-vm/restore-vm.png)
 
 6. After the undelete process is completed, the status will return to “Stop backup with retain data” and then you can choose **Resume backup**. The **Resume backup** operation brings back the backup item in the active state, associated with a backup policy selected by the user defining the backup and retention schedules.
 
    ![Resume backup](./media/soft-delete-sql-saphana-in-azure-vm/resume-backup.png)
 
-## How to disable soft delete
-
-Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only a Backup Administrator can disable this feature. To disable soft delete, disable the button under **Vault properties** > **Security settings** for the given vault. It's important to remember that once the button is disabled, the feature is disabled for all the workloads including virtual machines. Once enabled in preview (according to the safelisting steps), there's no way to disable soft delete only for SQL server or SAP HANA DBs while keeping it enabled for virtual machines in the same vault.
-
-![Disable soft delete](./media/soft-delete-sql-saphana-in-azure-vm/disable-soft-delete.png)
-
 ## Soft delete for SQL server in VM using Azure PowerShell
 
 >[!NOTE]
@@ -121,19 +115,9 @@ Undo-AzRecoveryServicesBackupItemDeletion -Item $myBKpItem -VaultId $myVaultID -
 
 The **DeleteState** of the backup item will revert to **NotDeleted**. But the protection is still stopped. Resume the backup to re-enable the protection.
 
-### Disabling soft delete using Azure PowerShell
-
-To disable, use the [Set-AzRecoveryServicesVaultBackupProperty](https://docs.microsoft.com/powershell/module/az.recoveryservices/set-azrecoveryservicesbackupproperty?view=azps-3.1.0) PS cmdlet.
-
-```powershell
-Set-AzRecoveryServicesVaultProperty -VaultId $myVaultID -SoftDeleteFeatureState Disable
-```
-
-Points to note:
+## How to disable soft delete
 
-1. If any soft-deleted backup items are present in the vault, the vault can't be deleted at that time. Try vault deletion after the backup items are permanently deleted, and there are no items in the soft deleted state left in the vault. To permanently delete soft deleted items, see [here](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#permanently-deleting-soft-deleted-backup-items).
-2. The **Soft Delete** button under Vault properties has to be enabled (it's enabled by default for all the vaults) along with subscription safelisting (as mentioned in the steps above) to get the soft delete preview enabled for SQL Server and SAP HANA Databases running in VMs.
-3. All the points and steps mentioned in the doc apply to both SQL server and SAP HANA databases running in virtual machines.
+Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) For instructions on how to disable soft delete, see [Enabling and disabling soft delete](backup-azure-security-feature-cloud.md#enabling-and-disabling-soft-delete).
 
 ## Next steps
 
diff --git a/articles/backup/soft-delete-virtual-machines.md b/articles/backup/soft-delete-virtual-machines.md
@@ -52,10 +52,6 @@ Soft delete is currently supported in the West Central US, East Asia, Canada Cen
 
    ![Screenshot of Azure portal, Resume backup option](./media/backup-azure-security-feature-cloud/resume-backup.png)
 
-This flow chart shows the different steps and states of a backup item when Soft Delete is enabled:
-
-![Lifecycle of soft-deleted backup item](./media/backup-azure-security-feature-cloud/lifecycle.png)
-
 ## Soft delete for VMs using Azure PowerShell
 
 > [!IMPORTANT]
@@ -109,6 +105,10 @@ The 'DeleteState' of the backup item will revert to 'NotDeleted'. But the protec
 - Delete the backups using REST API as mentioned [here](backup-azure-arm-userestapi-backupazurevms.md#stop-protection-and-delete-data).
 - If user wishes to undo these delete operations, refer to steps mentioned [here](backup-azure-arm-userestapi-backupazurevms.md#undo-the-stop-protection-and-delete-data).
 
+## How to disable soft delete
+
+Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) For instructions on how to disable soft delete, see [Enabling and disabling soft delete](backup-azure-security-feature-cloud.md#enabling-and-disabling-soft-delete).
+
 ## Next steps
 
 - Read about [Security controls for Azure Backup](backup-security-controls.md).
diff --git a/articles/backup/toc.yml b/articles/backup/toc.yml
@@ -342,7 +342,7 @@
       href: security-overview.md
     - name: Role-Based Access Control
       href: backup-rbac-rs-vault.md
-    - name: Soft delete for cloud backups
+    - name: Soft delete 
       items:
       - name: Overview
         href: backup-azure-security-feature-cloud.md
