Generally available: Azure Backup multi-user authorization for recovery services vaults
Published date: June 30, 2022
Multi-user authorization (MUA) for Backup adds an additional layer of protection for critical operations on your recovery services vaults, providing greater security for your backups. To provide multi-user authorization, Backup uses a resource guard to ensure critical operations are performed with proper authorization. With this, Azure Backup provides improved protection against operations that could lead to potential loss of backup data, including:
- Disable soft delete and hybrid security settings
- Disable multi-user authorization protection
- Modify backup policy (to reduce retention)
- Modify protection (to reduce retention)
- Stop protection with delete data
- Change MARS security PIN
The backup administrator, who typically owns the recovery services vault, needs to gain the contributor role on the resource guard to be able to perform the aforementioned protected (critical operations). This also requires action from the owner of the resource guard to approve and grant the required access. You can also use Azure AD Privileged Identity Management to manage just-in-time access on the resource guard. Additionally, you can create the resource guard in a subscription or a tenant different from the one that has the recovery services vault, to achieve maximum isolation.
Please refer to the documentation to learn more about multi-user authorization for Azure Backup, and for details on configuration and use.