In this blog post, we will be demonstrating how to set up Azure Backup with Multi User Authorization (MUA) and Resource Guards for added security. This configuration will protect your backups in case one of your accounts is compromised and provide an extra layer of oversight when making important changes. For the purpose of this example, we will be using a new subscription that contains both the Virtual Machines and the Recovery Services Vault. However, you can also use your current subscription or create a new tenant. Microsoft has provided an article on how to configure MUA across tenants.
Please note that at this time, it is not possible to store the Recovery Services Vault in one subscription while keeping the Virtual Machines in another.
Before we start, make sure you’ve configured the following things:
- Backup admin account
- Recovery Services Vault with backup contributor rights for your backup admin
- Second account for the approval later in the post
Lets start with the configuration of the resource guard:
- Search for Resource Guards in the search bar and select the corresponding item from the drop-down list
- Select Create to create a new Resource Guard
- Fill in the basics and make sure that the Resource Guard is in the same subscription as your Recovery Services Vaults and Virtual Machines. Also make sure that the Region is the same.
- On the next tab, select everything you want to protect. In this example we’ll leave it default
- Select Review + Create and Create the Resource Guard
- Now the Resource Guard is created, we’re going to add reader rights to the back-up admin. In the Resource Guard created above, go to the Access Control (IAM) blade, and then go to Add role assignment
- Select Reader from the list of built-in roles and select Next on the bottom of the screen
- Click Select members and add the Backup admin’s email ID to add them as the Reader
- Click Select and then proceed to Review + Assign to complete the role assignment
We have just completed the configuration of the Resource Guard and granted the backup admin reader rights. Now, we will proceed to enable Multi-User Authorization on the Recovery Services Vault to prevent unintended changes by the backup administrator to the backup.
- Go to the Recovery Services Vault. Go to Properties on the left navigation panel, then to Multi-User Authorization and click Update
- Select Protect with Resource Guard then Select Resource Guard
- Select from the dropdown menu the Directory click Authenticate. After authentication, choose the Resource Guard from the list displayed