Azure Backup: Multi-user authorization for Backup is now in public preview
Published date: November 02, 2021
Multi-user authorization (MUA) for Backup allows you to add an additional layer of protection for critical operations on your Recovery Services vaults. For this, Backup uses a Resource Guard to ensure critical operations are performed only with proper authorization. With this, Azure Backup helps provide improved protection against operations that could lead to potential loss of backup data, including:
- Disable soft delete and hybrid security settings
- Disable MUA protection
- Modify backup policy
- Modify protection
- Stop protection
- Change MARS security PIN
In general, the backup administrator, who typically owns the Recovery Services vault, needs to gain the Contributor role on the Resource Guard to be able to perform the aforementioned protected (critical operations), hence, also requires action from the owner of the Resource Guard to approve and grant the required access. You can also use Azure AD Privileged Identity Management to manage just-in-time access on the Resource Guard. Additionally, you can create the Resource Guard in a subscription or a tenant different from the one that has the Recovery Services vault, to achieve maximum isolation.
Please refer to the documentation for more details on using multi-user authorization for Azure Backup.