Protect your Azure Backup with Multi User Authorization

In this blog post, we will be demonstrating how to set up Azure Backup with Multi User Authorization (MUA) and Resource Guards for added security. This configuration will protect your backups in case one of your accounts is compromised and provide an extra layer of oversight when making important changes. For the purpose of this example, we will be using a new subscription that contains both the Virtual Machines and the Recovery Services Vault. However, you can also use your current subscription or create a new tenant. Microsoft has provided an article on how to configure MUA across tenants.

Please note that at this time, it is not possible to store the Recovery Services Vault in one subscription while keeping the Virtual Machines in another.

Before we start, make sure you’ve configured the following things:

• Backup admin account
• Recovery Services Vault with backup contributor rights for your backup admin
• Second account for the approval later in the post

Lets start with the configuration of the resource guard:

1. 1. Search for Resource Guards in the search bar and select the corresponding item from the drop-down list

      

   2. Select Create to create a new Resource Guard

      

   3. Fill in the basics and make sure that the Resource Guard is in the same subscription as your Recovery Services Vaults and Virtual Machines. Also make sure that the Region is the same.

      

   4.  On the next tab, select everything you want to protect. In this example we’ll leave it default

      

   5. Select Review + Create and Create the Resource Guard
   6. Now the Resource Guard is created, we’re going to add reader rights to the back-up admin. In the Resource Guard created above, go to the Access Control (IAM) blade, and then go to Add role assignment
      

      

   7. Select Reader from the list of built-in roles and select Next on the bottom of the screen

      

   8. Click Select members and add the Backup admin’s email ID to add them as the Reader
      

      

   9. Click Select and then proceed to Review + Assign to complete the role assignment

      We have just completed the configuration of the Resource Guard and granted the backup admin reader rights. Now, we will proceed to enable Multi-User Authorization on the Recovery Services Vault to prevent unintended changes by the backup administrator to the backup.

   10. Go to the Recovery Services Vault. Go to Properties on the left navigation panel, then to Multi-User Authorization and click Update
       

       

       
       

   11. Select Protect with Resource Guard then Select Resource Guard
       

       

       
       

   12. Select from the dropdown menu the Directory click Authenticate. After authentication, choose the Resource Guard from the list displayed

       

   13. Now select save to save the Multi User Authorization

       

        

       With the Multi User Account setting configured on our recovery vault, the backup administrator will now be restricted from making changes to certain settings, such as disabling the soft delete option within the Recovery Services Vault.

       In some cases, critical operations must be performed on your backups and Multi-User Authorization (MUA) can help ensure that these actions are taken only with the appropriate approvals and permissions. For this purpose, the backup administrator requires contributor rights. Currently, the backup administrator only holds reader rights. To allow the backup administrator to make changes with the approval of a colleague, please follow the instructions for configuring Privileged Identity Management (PIM).

   14. In the subscription containing the Resource Guard, go to Privileged Identity Management
       

       

   15. In the left menu select Azure resources and then select Discover Resources
       

       

   16. Select the subscription containing the Recovery Services Vault and Resource Guard and then select Manage Resource
       

       

   17.  Now all the resources will be available, go back to the Azure resources and select Resource Type Resource

       

   18. Select the Resource Guard, this will bring you the a new page. In this page, go to Assignments  and select Add assignment
   19. In the add assignments select the role as Contributor, select No member selected and add the username of the backup admin

       

   20. In the next screen:
       1. Under assignment type, choose Eligible
       2. Specify the duration for which the eligible permission is valid
       3. Select Assign to finish creating the eligible assignment

          

   21.  Go back to Azure Resources and select your Resource Guard
       
   22. Go to Settings and then go to the Contributor role
   23. Select Edit to add a reviewer who would need to review and approve the activation request for the Contributor Rol

       

   24. On the Activation tab, select Require approval to activate and add the approver(s) who need to approve each request

       

       Now we’ve successfully configured a Recovery Services Vault, with a resource guard protected by PIM. You can now test the configuration by logging in with the backup administrator.

The end result

When trying to delete Recovery Services Vault as the backup administrator you will see at step 1, that you need to seek permissions via Multi-User Authorization:

I also tried to stop a backup and deleting the data, it gave me the following message:

With the extra protection in place, we can now say that our environment is secure against unwanted incidents.

That’s it for this post. Thank you for reading! If you have any comments or questions, please feel free to leave a comment or contact me on Linkedin!