Microsoft automatically backs up every Azure SQL Database—but automatic does not mean complete. According to Microsoft's Azure documentation, built-in backups cover point-in-time restore within a configurable window of up to 35 days. They do not provide an independent, air-gapped copy or protection against ransomware that corrupts data across the retention window. For organizations operating under compliance mandates or facing sophisticated cyber threats, that gap matters.
Azure SQL runs across three distinct deployment models—Azure SQL Database (PaaS), Azure SQL Managed Instance, and SQL Server on Azure VM—each with different native backup capabilities and different exposure to data loss risk. This guide covers how each model is backed up natively, how to configure and use point-in-time restore (PITR) and long-term retention (LTR), how to perform manual backups, the real limitations of Azure's built-in system, and how Rubrik extends protect Azure data with immutable, threat-scanned, cyber-resilient backup.
Are Azure SQL Databases Automatically Backed Up?
Yes, Azure SQL Database and Azure SQL Managed Instance both perform automated backups by default, with no configuration required. Azure takes full backups weekly, differential backups every 12–24 hours, and transaction log backups every 5–10 minutes. These backups are stored in geo-redundant storage by default, giving you built-in redundancy against regional failures.
However, built-in automated backups are designed for operational recovery—accidental deletion, corruption, or short-term data loss. They are not designed to provide independent protection against ransomware or insider threats that operate within the retention window. If ransomware encrypts your Azure SQL databases on day one and you don't detect it until day 40, a 35-day retention window provides no clean restore point.
Third-party tools like Rubrik provide a purpose-built Azure SQL backup and cyber recovery platform—delivering immutable backups, sensitive data visibility, threat detection, and orchestrated recovery independent of Azure's native backup system. Learn more about Local Azure backups with Rubrik.
Azure SQL Backup Deployment Models—and How Rubrik Protects Each
The right backup strategy depends on which Azure SQL deployment model you're using.
Azure SQL Database (PaaS) provides fully automated backups with STR and LTR configuration, but you have no access to the underlying .bak files. Rubrik adds an independent backup copy, long-term retention beyond Azure defaults, threat scanning for ransomware indicators, and sensitive data classification inside backups.
Azure SQL Managed Instance supports automated backups and native SQL restore operations. Rubrik adds centralized SLA-driven backup policy, cross-region protection, rapid restore to a different server or region, and immutable retention for compliance.
SQL Server on Azure VM gives you the most control—you can use Azure VM Backup via Recovery Services Vault, manual SSMS backups, or full/differential/log backup schedules. Rubrik provides application-consistent SQL Server backups, granular database-level and file-level restore, Live Mount for near-instant recovery, and protection across hybrid workloads. See how Rubrik handles Azure SQL database backups at scale.
Feature | Azure SQL Database | Managed Instance | SQL Server on Azure VM |
Automatic backups | Yes | Yes | Optional |
Native .bak export | No | Yes | Yes |
Recovery Services Vault | No | Optional | Yes |
Manual SSMS backup | No | Yes | Yes |
How to Perform a Point-in-Time Restore (PITR)
Point-in-time restore lets you recover a database to an exact second within the retention window—powered by automated full, differential, and transaction log backups working together.
Short-term retention defaults to 7 days and is configurable up to 35 days. To perform a PITR in the Azure Portal: navigate to your SQL database, click Restore, choose a point in time, select the target server, and confirm. The restore creates a new database rather than overwriting the original—preserving the existing database until you're ready to cut over.
PITR supports restore to a different server or a different region, which makes it useful for both recovery and environment cloning. Keep in mind that PITR only covers the configured STR window; for regulatory requirements demanding longer retention, you need long-term retention (LTR) configured separately.
Manual Backup Methods: Portal, SSMS, and BACPAC Export
For Azure SQL Database (PaaS), you cannot run a traditional BACKUP DATABASE command to local disk—there is no direct .bak file access. The supported manual option is a BACPAC export, which captures the schema and data in a portable format suitable for migration or archival, not operational recovery.
To export via the Azure Portal: select your database, click Export, configure a storage account destination, and download the BACPAC. To export using SSMS: connect to your Azure SQL instance, right-click the database, and select Tasks → Export Data-tier Application, then save the BACPAC file. Note that BACPAC export is not equivalent to a SQL Server backup—it does not capture transaction logs or enable point-in-time recovery.
For SQL Server on Azure VM, you have full access to BACKUP DATABASE via SSMS or Azure Backup through a Recovery Services Vault, giving you true full/differential/log backup capability.
Short-Term vs Long-Term Backup Retention (LTR)
Short-term retention (STR) enables point-in-time restore and covers the operational recovery window—defaults to 7 days, configurable to 35 days. Long-term retention (LTR) stores weekly full backups for weeks, months, or years, specifically to meet compliance and audit requirements that exceed Azure's 35-day STR cap. According to Microsoft's LTR documentation, LTR backups can be retained for up to 10 years.
Retention Type | Use Case | Duration |
STR | Operational recovery, PITR | Up to 35 days |
LTR | Regulatory compliance, audit | Up to 10 years |
What Are the Limitations of Azure SQL Backup?
Azure SQL's built-in backup system is robust for operational recovery but has meaningful limitations for enterprise security and compliance:
No direct .bak file access for Azure SQL Database (PaaS)
STR cap of 35 days—beyond that, PITR is unavailable without LTR configured
Azure Backup for SQL on Azure VM limits protected instances and restore operations per subscription (consult the Azure subscription limits documentation for current caps)
No independent, air-gapped copy—if a ransomware attack persists beyond the retention window undetected, no clean restore point exists in the native system
No threat scanning or clean-point validation on backup data
Rubrik addresses these gaps with an independent backup copy, air-gapped immutable storage, granular restore, cross-region recovery, and ransomware threat scanning—so you always know which backup is clean before you restore.
Automated Backup System: Azure Built-In vs Rubrik
Capability | Azure Built-In | Rubrik |
Automatic backups | Yes | Yes |
Air-gapped backups | No | Yes |
Immutable retention lock | Limited | Yes |
Threat scanning | No | Yes |
Clean point recovery | No | Yes |
Cross-cloud visibility | No | Yes |
Traditional disaster recovery protects against hardware failure or accidental deletion. Cyber recovery requires a higher bar: immutable storage that cannot be encrypted or deleted by an attacker, threat scanning to identify which backups are clean before restore, and orchestrated recovery to an isolated Azure environment to prevent reinfection. Rubrik delivers all three—purpose-built for the threat environment enterprise organizations operate in today.
Azure SQL backup is a layered discipline—understanding which deployment model you're using, configuring the right retention settings, and recognizing where native Azure capabilities end and enterprise cyber recovery needs begin.
For organizations that need immutable protection, ransomware threat scanning, and orchestrated recovery independent of Azure's native backup system, Rubrik provides a purpose-built solution across all three Azure SQL deployment models. Contact Rubrik to see how it works in your environment.