Restoring Azure VMs and Files

For Azure, you can restore full VMs, restore guest files and folders, and restore a disk and attach it to an existing VM.

End User Restores

End users can restore VMs either in place or out of place. For this scenario, the VM display name option is the only value the user can change on the Restore options dialog box.

Users can also restore a virtual machine disk to an existing VM. The disks are restored and attached to the destination VM.

If the VM display name is the same as an existing VM on the destination, the restore fails.


  • An application security group (ASG) is retained on a restored VM only if the VM is restored to the same network. If the VM is restored to a different region or a different network, then the ASG is not retained.

  • For Azure managed disks that have virtual machines configured with Availability Zones in their Azure regions:

    • If the selected region of the destination VM supports Availability Zones, the Availability Zone information will be restored to the destination VM. The restore completes successfully.

    • If the selected region of the destination VM does not support Availability Zones, the Availability Zone information will not be restored to the destination VM. The restore completes successfully.

  • You can back up and restore Azure managed disks that are enabled with encryption at host. This capability applies to Azure managed disks that reside on Windows or Linux VMs.

  • Restores to different hypervisors are supported when a VM is encrypted with customer-managed encryption keys.

  • If a virtual machine is encrypted using Azure Key Vault:

    • Full VM restores are supported per source subscription. However, restores of encrypted VMs to a different subscription are not supported due to an Azure limitation with restoring Key Vault across subscriptions.

    • Restoring to a different region under the same subscription will create a new key vault automatically, and the restore job will complete successfully. For more information, see AZR0002: Out of place VM restore to different region might fail when source VM is encrypted.

    • Keys and secrets are not accessible to subscription users by default when the Key Vault itself is restored. The restore operation will add only the application's service principal in the Key Vault access control as an authorized user. If necessary, the subscription administrator can make changes to these permissions using the Azure portal.

    • Microsoft restrictions for virtual machines encrypted using Azure Key Vault also apply to encrypted Azure virtual machines in your Commcell environment for restoring your virtual machine and Key Vault. For more information, see Azure Key Vault.

For VMs encrypted with customer-managed encryption keys, full VM restores complete successfully; however, for full VM restores from streaming backups, the customer-managed encryption key settings or disk encryption sets (DES) are not applied to the destination VM. You must manually apply the DES settings to the destination VM. For more information, see Configuring Disk Encryption Sets on Destination VM.

  • During full VM restores, a storage account must exist in the region of the restored VM (an Azure Standard or Premium general-purpose storage account). This account acts as a staging area when VM is restored as managed VM.