Refactor backup to use blob storage and enhance restore

Backups are now stored as blobs in Azure Storage with table entities referencing the blob URLs, improving scalability and performance. The backup listing, creation, and retention cleanup functions have been updated to handle blob-based backups, including proper cleanup of both blob files and table entries. Restore logic is enhanced to fetch and parse blob content, and restoration tasks now provide more detailed feedback and error handling. These changes modernize the backup/restore pipeline and improve reliability for large backup data.

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecListBackup.ps1

@@ -31,11 +31,22 @@ function Invoke-ExecListBackup {
                     Items        = $properties.Name
                 }
             } else {
+                # Prefer stored indicator (BackupIsBlob) to avoid reading Backup field
+                $isBlob = $false
+                if ($null -ne $item.PSObject.Properties['BackupIsBlob']) {
+                    try { $isBlob = [bool]$item.BackupIsBlob } catch { $isBlob = $false }
+                } else {
+                    # Fallback heuristic for legacy rows if property missing
+                    if ($null -ne $item.PSObject.Properties['Backup']) {
+                        $b = $item.Backup
+                        if ($b -is [string] -and ($b -like 'https://*' -or $b -like 'http://*')) { $isBlob = $true }
+                    }
+                }
                 [PSCustomObject]@{
                     BackupName = $item.RowKey
                     Timestamp  = $item.Timestamp
+                    Source     = if ($isBlob) { 'blob' } else { 'table' }
                 }
-
             }
         }
         $Result = $Processed | Sort-Object Timestamp -Descending

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecRestoreBackup.ps1

@@ -12,13 +12,26 @@ function Invoke-ExecRestoreBackup {
     try {
 
         if ($Request.Body.BackupName -like 'CippBackup_*') {
-            $Table = Get-CippTable -tablename 'CIPPBackup'
-            $Backup = Get-CippAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.BackupName)' or OriginalEntityId eq '$($Request.Body.BackupName)'"
+            # Use Get-CIPPBackup which already handles fetching from blob storage
+            $Backup = Get-CIPPBackup -Type 'CIPP' -Name $Request.Body.BackupName
             if ($Backup) {
-                $BackupData = $Backup.Backup | ConvertFrom-Json -ErrorAction SilentlyContinue | Select-Object * -ExcludeProperty ETag, Timestamp
+                $raw = $Backup.Backup
+                $BackupData = $null
+
+                # Get-CIPPBackup already fetches blob content, so raw should be JSON string
+                try {
+                    if ($raw -is [string]) {
+                        $BackupData = $raw | ConvertFrom-Json -ErrorAction Stop
+                    } else {
+                        $BackupData = $raw | Select-Object * -ExcludeProperty ETag, Timestamp
+                    }
+                } catch {
+                    throw "Failed to parse backup JSON: $($_.Exception.Message)"
+                }
+
                 $BackupData | ForEach-Object {
                     $Table = Get-CippTable -tablename $_.table
-                    $ht2 = @{ }
+                    $ht2 = @{}
                     $_.psobject.properties | ForEach-Object { $ht2[$_.Name] = [string]$_.Value }
                     $Table.Entity = $ht2
                     Add-CIPPAzDataTableEntity @Table -Force

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-BackupRetentionCleanup.ps1

@@ -13,12 +13,12 @@ function Start-BackupRetentionCleanup {
         $ConfigTable = Get-CippTable -tablename Config
         $Filter = "PartitionKey eq 'BackupRetention' and RowKey eq 'Settings'"
         $RetentionSettings = Get-CIPPAzDataTableEntity @ConfigTable -Filter $Filter
-        
+
         # Default to 30 days if not set
-        $RetentionDays = if ($RetentionSettings.RetentionDays) { 
-            [int]$RetentionSettings.RetentionDays 
-        } else { 
-            30 
+        $RetentionDays = if ($RetentionSettings.RetentionDays) {
+            [int]$RetentionSettings.RetentionDays
+        } else {
+            30
         }
 
         # Ensure minimum retention of 7 days
@@ -27,24 +27,67 @@ function Start-BackupRetentionCleanup {
         }
 
         Write-Host "Starting backup cleanup with retention of $RetentionDays days"
-        
+
         # Calculate cutoff date
         $CutoffDate = (Get-Date).AddDays(-$RetentionDays).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-        
+
         $DeletedCounts = [System.Collections.Generic.List[int]]::new()
 
         # Clean up CIPP Backups
         if ($PSCmdlet.ShouldProcess('CIPPBackup', 'Cleaning up old backups')) {
             $CIPPBackupTable = Get-CippTable -tablename 'CIPPBackup'
-            $Filter = "PartitionKey eq 'CIPPBackup' and Timestamp lt datetime'$CutoffDate'"
-            
-            $OldCIPPBackups = Get-AzDataTableEntity @CIPPBackupTable -Filter $Filter -Property @('PartitionKey', 'RowKey', 'ETag')
-            
-            if ($OldCIPPBackups) {
-                Write-Host "Found $($OldCIPPBackups.Count) old CIPP backups to delete"
-                Remove-AzDataTableEntity @CIPPBackupTable -Entity $OldCIPPBackups -Force
-                $DeletedCounts.Add($OldCIPPBackups.Count)
-                Write-LogMessage -API 'BackupRetentionCleanup' -message "Deleted $($OldCIPPBackups.Count) old CIPP backups" -Sev 'Info'
+            $CutoffFilter = "PartitionKey eq 'CIPPBackup' and Timestamp lt datetime'$CutoffDate'"
+
+            # Delete blob files
+            $BlobFilter = "$CutoffFilter and BackupIsBlob eq true"
+            $BlobBackups = Get-AzDataTableEntity @CIPPBackupTable -Filter $BlobFilter -Property @('PartitionKey', 'RowKey', 'Backup')
+
+            $BlobDeletedCount = 0
+            if ($BlobBackups) {
+                foreach ($Backup in $BlobBackups) {
+                    if ($Backup.Backup) {
+                        try {
+                            $BlobPath = $Backup.Backup
+                            # Extract container/blob path from URL
+                            if ($BlobPath -like '*:10000/*') {
+                                # Azurite format: http://host:10000/devstoreaccount1/container/blob
+                                $parts = $BlobPath -split ':10000/'
+                                if ($parts.Count -gt 1) {
+                                    # Remove account name to get container/blob
+                                    $BlobPath = ($parts[1] -split '/', 2)[-1]
+                                }
+                            } elseif ($BlobPath -like '*blob.core.windows.net/*') {
+                                # Azure Storage format: https://account.blob.core.windows.net/container/blob
+                                $BlobPath = ($BlobPath -split '.blob.core.windows.net/', 2)[-1]
+                            }
+                            $null = New-CIPPAzStorageRequest -Service 'blob' -Resource $BlobPath -Method 'DELETE' -ConnectionString $ConnectionString
+                            $BlobDeletedCount++
+                            Write-Host "Deleted blob: $BlobPath"
+                        } catch {
+                            Write-LogMessage -API 'BackupRetentionCleanup' -message "Failed to delete blob $($Backup.Backup): $($_.Exception.Message)" -Sev 'Warning'
+                        }
+                    }
+                }
+                # Delete blob table entities
+                Remove-AzDataTableEntity @CIPPBackupTable -Entity $BlobBackups -Force
+            }
+
+            # Delete table-only backups (no blobs)
+            # Fetch all old entries and filter out blob entries client-side (null check is unreliable in filters)
+            $AllOldBackups = Get-AzDataTableEntity @CIPPBackupTable -Filter $CutoffFilter -Property @('PartitionKey', 'RowKey', 'ETag', 'BackupIsBlob')
+            $TableBackups = $AllOldBackups | Where-Object { $_.BackupIsBlob -ne $true }
+
+            $TableDeletedCount = 0
+            if ($TableBackups) {
+                Remove-AzDataTableEntity @CIPPBackupTable -Entity $TableBackups -Force
+                $TableDeletedCount = ($TableBackups | Measure-Object).Count
+            }
+
+            $TotalDeleted = $BlobDeletedCount + $TableDeletedCount
+            if ($TotalDeleted -gt 0) {
+                $DeletedCounts.Add($TotalDeleted)
+                Write-LogMessage -API 'BackupRetentionCleanup' -message "Deleted $TotalDeleted old CIPP backups ($BlobDeletedCount blobs, $TableDeletedCount table entries)" -Sev 'Info'
+                Write-Host "Deleted $TotalDeleted old CIPP backups"
             } else {
                 Write-Host 'No old CIPP backups found'
             }
@@ -53,23 +96,66 @@ function Start-BackupRetentionCleanup {
         # Clean up Scheduled/Tenant Backups
         if ($PSCmdlet.ShouldProcess('ScheduledBackup', 'Cleaning up old backups')) {
             $ScheduledBackupTable = Get-CippTable -tablename 'ScheduledBackup'
-            $Filter = "PartitionKey eq 'ScheduledBackup' and Timestamp lt datetime'$CutoffDate'"
-            
-            $OldScheduledBackups = Get-AzDataTableEntity @ScheduledBackupTable -Filter $Filter -Property @('PartitionKey', 'RowKey', 'ETag')
-            
-            if ($OldScheduledBackups) {
-                Write-Host "Found $($OldScheduledBackups.Count) old tenant backups to delete"
-                Remove-AzDataTableEntity @ScheduledBackupTable -Entity $OldScheduledBackups -Force
-                $DeletedCounts.Add($OldScheduledBackups.Count)
-                Write-LogMessage -API 'BackupRetentionCleanup' -message "Deleted $($OldScheduledBackups.Count) old tenant backups" -Sev 'Info'
+            $CutoffFilter = "PartitionKey eq 'ScheduledBackup' and Timestamp lt datetime'$CutoffDate'"
+
+            # Delete blob files
+            $BlobFilter = "$CutoffFilter and BackupIsBlob eq true"
+            $BlobBackups = Get-AzDataTableEntity @ScheduledBackupTable -Filter $BlobFilter -Property @('PartitionKey', 'RowKey', 'Backup')
+
+            $BlobDeletedCount = 0
+            if ($BlobBackups) {
+                foreach ($Backup in $BlobBackups) {
+                    if ($Backup.Backup) {
+                        try {
+                            $BlobPath = $Backup.Backup
+                            # Extract container/blob path from URL
+                            if ($BlobPath -like '*:10000/*') {
+                                # Azurite format: http://host:10000/devstoreaccount1/container/blob
+                                $parts = $BlobPath -split ':10000/'
+                                if ($parts.Count -gt 1) {
+                                    # Remove account name to get container/blob
+                                    $BlobPath = ($parts[1] -split '/', 2)[-1]
+                                }
+                            } elseif ($BlobPath -like '*blob.core.windows.net/*') {
+                                # Azure Storage format: https://account.blob.core.windows.net/container/blob
+                                $BlobPath = ($BlobPath -split '.blob.core.windows.net/', 2)[-1]
+                            }
+                            $null = New-CIPPAzStorageRequest -Service 'blob' -Resource $BlobPath -Method 'DELETE' -ConnectionString $ConnectionString
+                            $BlobDeletedCount++
+                            Write-Host "Deleted blob: $BlobPath"
+                        } catch {
+                            Write-LogMessage -API 'BackupRetentionCleanup' -message "Failed to delete blob $($Backup.Backup): $($_.Exception.Message)" -Sev 'Warning'
+                        }
+                    }
+                }
+                # Delete blob table entities
+                Remove-AzDataTableEntity @ScheduledBackupTable -Entity $BlobBackups -Force
+            }
+
+            # Delete table-only backups (no blobs)
+            # Fetch all old entries and filter out blob entries client-side (null check is unreliable in filters)
+            $AllOldBackups = Get-AzDataTableEntity @ScheduledBackupTable -Filter $CutoffFilter -Property @('PartitionKey', 'RowKey', 'ETag', 'BackupIsBlob')
+            $TableBackups = $AllOldBackups | Where-Object { $_.BackupIsBlob -ne $true }
+
+            $TableDeletedCount = 0
+            if ($TableBackups) {
+                Remove-AzDataTableEntity @ScheduledBackupTable -Entity $TableBackups -Force
+                $TableDeletedCount = ($TableBackups | Measure-Object).Count
+            }
+
+            $TotalDeleted = $BlobDeletedCount + $TableDeletedCount
+            if ($TotalDeleted -gt 0) {
+                $DeletedCounts.Add($TotalDeleted)
+                Write-LogMessage -API 'BackupRetentionCleanup' -message "Deleted $TotalDeleted old tenant backups ($BlobDeletedCount blobs, $TableDeletedCount table entries)" -Sev 'Info'
+                Write-Host "Deleted $TotalDeleted old tenant backups"
             } else {
                 Write-Host 'No old tenant backups found'
             }
         }
 
         $TotalDeleted = ($DeletedCounts | Measure-Object -Sum).Sum
         Write-LogMessage -API 'BackupRetentionCleanup' -message "Backup cleanup completed. Total backups deleted: $TotalDeleted (retention: $RetentionDays days)" -Sev 'Info'
-        
+
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -API 'BackupRetentionCleanup' -message "Failed to run backup cleanup: $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage

Modules/CIPPCore/Public/Get-CIPPBackup.ps1

@@ -18,7 +18,15 @@ function Get-CIPPBackup {
     }
 
     if ($NameOnly.IsPresent) {
-        $Table.Property = @('RowKey')
+        if ($Type -ne 'Scheduled') {
+            $Table.Property = @('RowKey', 'Timestamp', 'BackupIsBlob')
+        } else {
+            $Table.Property = @('RowKey', 'Timestamp')
+        }
+    }
+
+    if ($TenantFilter -and $TenantFilter -ne 'AllTenants') {
+        $Conditions.Add("RowKey gt '$($TenantFilter)' and RowKey lt '$($TenantFilter)~'")
     }
 
     $Filter = $Conditions -join ' and '
@@ -27,13 +35,60 @@ function Get-CIPPBackup {
 
     if ($NameOnly.IsPresent) {
         $Info = $Info | Where-Object { $_.RowKey -notmatch '-part[0-9]+$' }
-        if ($TenantFilter) {
-            $Info = $Info | Where-Object { $_.RowKey -match "^$($TenantFilter)_" }
-        }
     } else {
         if ($TenantFilter -and $TenantFilter -ne 'AllTenants') {
             $Info = $Info | Where-Object { $_.TenantFilter -eq $TenantFilter }
         }
     }
+
+    # Augment results with blob-link awareness and fetch blob content when needed
+    if (-not $NameOnly.IsPresent -and $Info) {
+        foreach ($item in $Info) {
+            $isBlobLink = $false
+            $blobPath = $null
+            if ($null -ne $item.PSObject.Properties['Backup']) {
+                $b = $item.Backup
+                if ($b -is [string] -and ($b -like 'https://*' -or $b -like 'http://*')) {
+                    $isBlobLink = $true
+                    $blobPath = $b
+
+                    # Fetch the actual backup content from blob storage
+                    try {
+                        # Extract container/blob path from URL
+                        $resourcePath = $blobPath
+                        if ($resourcePath -like '*:10000/*') {
+                            # Azurite format: http://host:10000/devstoreaccount1/container/blob
+                            $parts = $resourcePath -split ':10000/'
+                            if ($parts.Count -gt 1) {
+                                # Remove account name to get container/blob
+                                $resourcePath = ($parts[1] -split '/', 2)[-1]
+                            }
+                        } elseif ($resourcePath -like '*blob.core.windows.net/*') {
+                            # Azure Storage format: https://account.blob.core.windows.net/container/blob
+                            $resourcePath = ($resourcePath -split '.blob.core.windows.net/', 2)[-1]
+                        }
+
+                        # Download the blob content
+                        $ConnectionString = $env:AzureWebJobsStorage
+                        $blobResponse = New-CIPPAzStorageRequest -Service 'blob' -Resource $resourcePath -Method 'GET' -ConnectionString $ConnectionString
+
+                        if ($blobResponse -and $blobResponse.Bytes) {
+                            $backupContent = [System.Text.Encoding]::UTF8.GetString($blobResponse.Bytes)
+                            # Replace the URL with the actual backup content
+                            $item.Backup = $backupContent
+                            Write-Verbose "Successfully retrieved backup content from blob storage for $($item.RowKey)"
+                        } else {
+                            Write-Warning "Failed to retrieve backup content from blob storage for $($item.RowKey)"
+                        }
+                    } catch {
+                        Write-Warning "Error fetching backup from blob storage: $($_.Exception.Message)"
+                        # Leave the URL in place if we can't fetch the content
+                    }
+                }
+            }
+            $item | Add-Member -NotePropertyName 'BackupIsBlobLink' -NotePropertyValue $isBlobLink -Force
+            $item | Add-Member -NotePropertyName 'BlobResourcePath' -NotePropertyValue $blobPath -Force
+        }
+    }
     return $Info
 }