Edit

Azure MCP Server tools for Azure Backup

When you use Azure MCP Server, you can manage Azure Backup resources through natural language prompts by using the Model Context Protocol (MCP). You can create and configure backup vaults, define and update backup policies, and protect and undelete items. You can also manage governance settings like soft delete and immutability, configure multiuser authorization (MUA), and monitor backup jobs and recovery points.

Azure Backup provides cloud-based capabilities for your applications. For more information, see the Azure Backup documentation.

Note

Tool parameters: The Azure MCP Server tools define parameters for data they need to complete tasks. Some of these parameters are specific to each tool and are documented here. Other parameters are global and shared by all tools. For more information, see Tool parameters.

Backup: Get status

This tool checks the backup status of an Azure resource through Azure Backup. It returns information on whether the resource is protected, along with vault and policy details. Use it to verify whether a virtual machine, disk, storage account, or other data source is currently backed up. It requires the Azure Resource Manager resource ID for the data source and the Azure region where the resource exists.

Example prompts include:

  • "Is the virtual machine (VM) protected for data source ID /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/webvm in location eastus?"
  • "Check backup status for data source ID /subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-backup/providers/Microsoft.Compute/disks/dataDisk1 in location westus2."
  • "Get the protection details for data source ID /subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/rg-storage/providers/Microsoft.Storage/storageAccounts/mystorageacct in location centralus."
  • "Verify protection for data source ID SAPHanaDatabase;instance;ProdDB in location eastus2."
  • "Show available subcommands and parameters for the backup status check for data source ID /subscriptions/44444444-4444-4444-4444-444444444444/resourceGroups/rg-app/providers/Microsoft.Web/sites/mywebapp in location eastus with --learn."
Parameter Required or optional Description
Datasource ID Required The data source identifier. For VM, FileShare, or DPP workloads, provide the Azure Resource Manager resource ID. For example, /subscriptions/.../virtualMachines/myvm. For Recovery Services vault (RSV) in-guest workloads, such as SQL or SAP HANA, provide the protectable item name returned by protectableitem list. For example, SAPHanaDatabase;instance;dbname.
Location Required The Azure region. For example, eastus or westus2.

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Disaster recovery: Enable cross-region restore

This tool enables cross-region restore on a geo-redundant storage-enabled backup vault. It activates cross-region restore so that you can recover backups from a secondary region.

Example prompts include:

  • "Enable Cross-Region Restore for vault name backup-vault-prod in resource group rg-prod."
  • "Enable Cross-Region Restore on Recovery Services vault rsv-backup in resource group rg-disaster with vault type rsv."
  • "How do I run enable-crr for vault site-backup in resource group rg-staging using --learn?"
  • "Enable CRR for vault dr-vault-east in resource group rg-eus with vault type dpp."
  • "Run azurebackup disasterrecovery enable-crr for vault name backupvault01 in resource group rg-apps."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group that contains the vault.
Vault name Required The name of the Recovery Services vault or Backup vault.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault on Data Protection Platform (DPP). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Governance: List resources without backup policy

This tool scans your subscription and lists Azure resources that aren't protected by any Azure Backup policy. You can filter results by resource type, resource group, or tags. For example, find unprotected resources in the resource group rg-prod, or find unprotected VMs with the tag environment=production.

Example prompts include:

  • "Find all resources in my subscription that aren't protected by any backup policy."
  • "Find unprotected resources with resource type filter Microsoft.Compute/virtualMachines,Microsoft.Sql/servers."
  • "List unprotected resources with tag filter environment=production."
  • "Show unprotected resources with resource type filter Microsoft.Storage/storageAccounts and tag filter backup=required."
  • "Show available subcommands and parameters using Learn --learn."
Parameter Required or optional Description
Resource type filter Optional Resource types to filter, comma-separated.
Tag filter Optional Tag-based filter in key=value format (for example, environment=production).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Governance: Configure immutability state

This tool configures the immutability state for a backup vault. Set the state to Disabled, Enabled, or Locked. Warning: Locked is irreversible.

Example prompts include:

  • "Set immutability state Enabled for vault name backup-vault in resource group rg-prod."
  • "Enable immutability state Locked for vault name rsv-vault-01 in resource group rg-secure."
  • "Change immutability state Disabled for vault name dppvault1 in resource group rg-dev."
  • "Can you set immutability state Enabled for vault name prod-backup in resource group rg-production with vault type rsv?"
  • "Show immutability subcommands with --learn for vault name test-vault in resource group rg-test."
Parameter Required or optional Description
Immutability state Required Immutability state: Disabled, Enabled, or Locked (irreversible).
Resource group Required The name of the Azure resource group that contains the vault.
Vault name Required The name of the Recovery Services vault or Backup vault.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Governance: Configure soft delete

This tool configures soft-delete settings for a backup vault. Set the soft-delete state to AlwaysOn, On, or Off. You can optionally specify the soft-delete retention period in days (14 to 180). For example, enable soft delete On with a 30-day retention for the vault contosoBackupVault in the resource group rg-backup.

Example prompts include:

  • "Enable soft delete AlwaysOn for vault name backup-vault-prod in resource group rg-prod with soft delete retention days 90."
  • "Turn soft delete Off for vault name rsv-main in resource group rg-backups."
  • "Can you set soft delete On for vault name dpp-vault in resource group rg-dev with vault type dpp and soft delete retention days 30?"
  • "Show me help for soft-delete with resource group rg-tools, vault name backup-vault-test, and soft delete On using --learn."
  • "Configure soft delete On for vault name rs-vault-prod in resource group rg-prod and specify vault type rsv."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group that contains the vault.
Soft delete Required Soft-delete state: AlwaysOn, On, or Off.
Vault name Required The name of the Recovery Services vault or Backup vault.
Soft delete retention days Optional Soft-delete retention period in days. Range: 14 to 180.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Job: Get backup job information

This tool retrieves backup job information from a vault. When you specify the job ID, the tool returns detailed information about that job. The information includes operation type, status, start and end times, error codes, and data source details. When you omit the job ID, the tool lists all backup jobs in the vault.

Example prompts include:

  • "List all backup jobs in resource group rg-backup-prod for vault rsv-prod-vault."
  • "Get backup job job-9f7c3a2b in resource group rg-backup-prod from vault rsv-prod-vault."
  • "What is the status of job d3b2e7f4 in vault backupvault-eus within resource group rg-eus-backup?"
  • "Show command options for azurebackup job get in resource group rg-backup-dev for vault dev-backup-vault with --learn."
  • "List all backup jobs in resource group rg-dpp-test for vault dpp-test-vault with vault type dpp."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group that contains the vault.
Vault name Required The name of the Recovery Services vault or Backup vault.
Job ID Optional The backup job ID.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Policy: Create backup policy

This tool creates a backup policy for a specified workload type and lets you set schedule and retention rules.

Example prompts include:

  • "Create backup policy daily-vm-policy in resource group rg-prod for vault rsv-vault-west with workload type VM."
  • "I need a backup policy sql-weekly-policy in resource group rg-db for vault db-backups targeting workload type SQL with daily retention days 30 and schedule time 03:00."
  • "Can you create policy aks-backup in resource group rg-aks for vault dpp-aks-vault with workload type AKS and vault type dpp?"
  • "Create policy azureblob-monthly in resource group rg-storage for vault blob-backups with workload type AzureBlob and daily retention days 7."
  • "Create backup policy flexible-pg-policy in resource group rg-data for vault dpp-data-vault with workload type PostgreSQLFlexible."
Parameter Required or optional Description
Policy name Required The name of the backup policy.
Resource group Required The name of the Azure resource group, a logical container for related resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Workload type Required Workload type: VM, SQL, SAPHANA, SAPASE, AzureFileShare (RSV types) or AzureDisk, AzureBlob, AKS, ElasticSAN, PostgreSQLFlexible, ADLS, CosmosDB (DPP types). Also accepts aliases like AzureVM and SQLDatabase.
Archive tier after days Optional Move recovery points to the archive tier after specified days. Pair with --archive-tier-mode.
Archive tier mode Optional Archive tiering mode: TierAfter (always tier after --archive-tier-after-days) or CopyOnExpiry (copy to archive when the recovery point expires). Use --smart-tier for service-recommended tiering.
Backup mode Optional Backup mode for storage workloads: Continuous (default for AzureBlob, ADLS) or Vaulted (discrete recovery points). DPP AzureBlob, AzureDataLakeStorage.
Daily retention days Optional Daily recovery point retention in days. Defaults to the data source-specific value if omitted.
Differential retention days Optional Retention period in days for Differential backups. RSV VmWorkload only.
Differential schedule days of week Optional Comma-separated days of the week for the Differential backup (for example, Monday,Thursday). RSV VmWorkload only.
Enable snapshot backup Optional Enable snapshot/instance backups (HANA System Replication snapshot recovery points). RSV SAPHANA only.
Enable vault tier copy Optional Enable vault-tier copy of operational store backups. DPP AzureDisk only.
Full schedule days of week Optional Comma-separated days of the week for the Full backup (for example, Sunday). Required when --full-schedule-frequency is Weekly. RSV VmWorkload only.
Full schedule frequency Optional Full backup schedule frequency for SQL/SAPHANA/SAPASE: Daily or Weekly. RSV VmWorkload only.
Hourly interval hours Optional Interval in hours between hourly backups. Valid values: 4, 6, 8, 12. Used only when --schedule-frequency is Hourly (RSV).
Hourly window duration hours Optional Duration of the hourly backup window in hours (for example, 12). Used only when --schedule-frequency is Hourly (RSV).
Hourly window start time Optional Start time of the hourly backup window in 24h HH:mm format (for example, 08:00). Used only when --schedule-frequency is Hourly (RSV).
Incremental retention days Optional Retention period in days for Incremental backups. RSV SAPHANA / SAPASE only.
Incremental schedule days of week Optional Comma-separated days of the week for the Incremental backup. RSV SAPHANA / SAPASE only.
Instant recovery-point resource group Optional Resource group that hosts the instant recovery point snapshots. RSV VM only.
Instant recovery-point retention days Optional Instant recovery point retention in days (1 to 30 for Standard, 1 to 7 for Enhanced). RSV VM only.
Is compression Optional Enable backup compression at the policy level. RSV VmWorkload only.
Is SQL compression Optional Enable SQL Server on VM native backup compression. RSV SQL only.
Log frequency minutes Optional Transaction log backup frequency in minutes (for example, 15, 30, 60). RSV VmWorkload only.
Log retention days Optional Retention period in days for transaction log backups. RSV VmWorkload only.
Monthly retention days of month Optional Comma-separated days of the month for monthly retention (1 to 28 or Last; for example, 1,15,Last). Absolute scheme. Mutually exclusive with --monthly-retention-week-of-month.
Monthly retention days of week Optional Comma-separated days of the week for the monthly retention tag (for example, Sunday). Use with --monthly-retention-week-of-month (relative scheme).
Monthly retention months Optional Number of months to keep monthly recovery points. Combine with either --monthly-retention-days-of-month (absolute) or --monthly-retention-week-of-month + --monthly-retention-days-of-week (relative).
Monthly retention week of month Optional Which week of the month to tag for monthly retention: First, Second, Third, Fourth, or Last. Use with --monthly-retention-days-of-week (relative scheme).
PITR retention days Optional Point-in-time restore retention in days for continuous backups. DPP AzureBlob, AzureDataLakeStorage.
Policy subtype Optional RSV VM policy subtype: Standard or Enhanced. Enhanced is required for hourly schedules and Trusted Launch VMs. RSV VM only.
Policy tags Optional Resource tags applied to the RSV backup policy as k1=v1,k2=v2. RSV only.
Schedule days of week Optional Comma-separated days of the week that the backup should run (for example, Monday,Wednesday,Friday). Required for Weekly schedules.
Schedule frequency Optional Backup schedule frequency. Recovery Services vaults accept Daily, Weekly, or Hourly. Backup vaults accept ISO 8601 intervals: PT4H, PT6H, PT8H, PT12H, P1D, P1W, P2W, or P1M.
Schedule time Optional Comma-separated list of backup times in 24h HH:mm format (for example, 02:00 or 02:00,14:00). Interpreted in --time-zone. Defaults to 02:00 UTC if not specified.
Smart tier Optional Enable smart-tiering (machine learning-based archive recommendation). RSV VM only.
Snapshot consistency Optional Snapshot consistency mode for VM backups: ApplicationConsistent or CrashConsistent. RSV VM only.
Snapshot instant recovery-point resource group Optional Resource group prefix for snapshot instant recovery points. RSV SAPHANA snapshot only.
Snapshot instant recovery-point retention days Optional Snapshot instant recovery-point retention range in days. RSV SAPHANA snapshot only.
Time zone Optional Windows time-zone identifier for the backup schedule (for example, UTC, Pacific Standard Time). If omitted, the schedule runs in UTC.
Vault tier copy after days Optional Days after which an operational backup is copied to the vault tier. DPP AzureDisk only.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).
Weekly retention days of week Optional Comma-separated days of the week tagged for weekly retention (for example, Sunday). Required alongside --weekly-retention-weeks.
Weekly retention weeks Optional Number of weeks to keep weekly recovery points. Required alongside --weekly-retention-days-of-week.
Yearly retention days of month Optional Comma-separated days of the selected months for yearly retention (1 to 28 or Last). Absolute scheme. Mutually exclusive with --yearly-retention-week-of-month.
Yearly retention days of week Optional Comma-separated days of the week for the yearly retention tag (for example, Sunday). Use with --yearly-retention-week-of-month (relative scheme).
Yearly retention months Optional Comma-separated months tagged for yearly retention (for example, January or January,July).
Yearly retention week of month Optional Which week of the selected months to tag for yearly retention: First, Second, Third, Fourth, or Last. Use with --yearly-retention-days-of-week (relative scheme).
Yearly retention years Optional Number of years to keep yearly recovery points. Combine with --yearly-retention-months and either --yearly-retention-days-of-month (absolute) or --yearly-retention-week-of-month + --yearly-retention-days-of-week (relative).

Tool annotation hints:

Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Policy: Get policy

This tool retrieves backup policy information. The tool provides detailed information for a single policy when you specify the policy parameter. When you omit the policy parameter, the tool lists all the backup policies configured in the vault.

Example prompts include:

  • "List all backup policies in resource group rg-prod for vault backup-vault."
  • "Get details of policy DailyBackup in resource group rg-app from vault app-backup."
  • "What's the configuration for policy WeeklyRetention in resource group rg-archive on vault archive-vault with vault type rsv?"
  • "Show all backup policies in resource group rg-tools for vault tool-vault with --learn."
  • "Retrieve full information for policy SQLServerPolicy in resource group rg-databases from vault db-backup, including data source types and protected item counts."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group that contains the vault.
Vault name Required The name of the Recovery Services vault or Backup vault.
Policy name Optional The name of the backup policy.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Policy: Update policy

This tool modifies an existing Recovery Services vault backup policy. You can update the backup schedule time and daily retention days for VM, SQL, SAP HANA, and file share workload policies. The named policy must already exist in the vault.

Example prompts include:

  • "Update backup policy daily-vm-policy in resource group rg-prod for vault rsv-vault-west with schedule time 04:00."
  • "Change daily retention days to 60 for policy sql-weekly-policy in resource group rg-db on vault db-backups."
  • "Update schedule time to 02:00 and daily retention days to 30 for policy fileshare-policy in resource group rg-storage on vault storage-vault."
  • "Modify backup policy sap-policy in resource group rg-sap for vault sap-backup-vault with vault type rsv and schedule time 06:00."
  • "Show learn options for azurebackup policy update with policy help-policy in resource group rg-help and vault help-vault and --learn."
Parameter Required or optional Description
Policy name Required The name of the backup policy.
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Daily retention days Optional Daily recovery point retention in days. Defaults to the data source-specific value if omitted.
Schedule time Optional Backup time in UTC (for example, 02:00).
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Protectable item: List protectable items

This tool lists items that you can back up (protectable items) in a Recovery Services vault. Examples include SQL databases and SAP HANA databases that the tool discovers on registered VMs. Use the tool to find databases and workloads available for backup protection. This tool supports Recovery Services vaults only. Data Protection Platform data sources use Resource Manager resource IDs for protection. Filter results by workload type, such as SQL or SAP HANA, or by container.

Example prompts include:

  • "List all protectable items in resource group rg-prod and vault name rsv-backup-vault."
  • "List protectable items with workload type SQL in resource group rg-data and vault name backup-vault-east."
  • "Show protectable items in container iaasvmcontainer-01 for resource group rg-prd-backup and vault name rsv-prod-vault."
  • "What protectable VMs are available with workload type VM and vault type rsv in resource group rg-staging and vault name staging-backup-vault?"
  • "Show command options with --learn for azurebackup protectableitem list in resource group rg-tools and vault name tools-rsv-vault."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group.
Vault name Required The name of the Recovery Services vault or Backup vault.
Container name Optional The Recovery Services vault protection container name. Applies to Recovery Services vaults only.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).
Workload type Optional Workload types for Recovery Services vaults include VM, SQL, SAPHANA (SAP HANA), SAPASE, and AzureFileShare. Workload types for DPP include AzureDisk, AzureBlob, AKS (Azure Kubernetes Service), ElasticSAN, PostgreSQLFlexible, ADLS (Azure Data Lake Storage), and CosmosDB. The parameter also accepts aliases like AzureVM and SQLDatabase.

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Protected item: Get information

Retrieves protected item information from a backup vault.

This tool returns detailed information about a single backup instance when you specify the protected item. Details include protection status, data source information, policy assignment, and last backup time. Specify the container for Recovery Services vault items. When you omit the protected item, the tool lists all protected items (backup instances) in the vault.

Example prompts include:

  • "List all protected items in resource group rg-prod and vault name rsv-vault."
  • "Get protected item vm-prod-01 in container rsv-container-01 for resource group rg-prod and vault name rsv-vault."
  • "Retrieve protected item db-backup-2026 from resource group rg-dpp and vault name dpp-vault with vault type dpp."
  • "What protected items are in resource group prod-rg and vault name backup-vault?"
  • "Show command options for azurebackup protecteditem get in resource group rg-prod and vault name rsv-vault with --learn."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Container name Optional The Recovery Services vault protection container name. Applies to Recovery Services vaults only.
Protected item Optional The name of the protected item or backup instance.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Protected item: Configure backup protection

Configure backup protection for an Azure resource by creating a protected item or a backup instance. This tool protects VMs, disks, file shares, SQL databases, SAP HANA databases, and other supported data sources. For VMs, provide the VM Resource Manager resource ID as Datasource ID. For SQL and SAP HANA workloads, specify the protectable item name as Datasource ID (for example, SAPHanaDatabase;instance;dbname) and specify the Container name. Specify the backup policy with the Policy parameter. The operation runs asynchronously, so monitor the protection job until it finishes.

Example prompts include:

  • "Protect data source ID /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/webapp-prod with policy daily-policy in resource group prod-rg and vault backup-vault."
  • "Enable protection for data source ID MSSQLDatabase;sqlserver01;salesdb using policy weekly-sql-policy in resource group rg-sql and vault rsv-vault, container sql-container."
  • "Create protection for data source ID /subscriptions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/resourceGroups/rg-storage/providers/Microsoft.Compute/disks/data-disk1 with policy disk-backup-policy in resource group rg-storage and vault dpp-vault, data source type AzureDisk."
  • "Can you protect data source ID SAPHanaDatabase;HANA01;db01 with policy hana-policy in resource group rg-hana and vault rsv-hana and container hana-container?"
  • "Start protection for data source ID /subscriptions/9f8b7c6d-1234-4bcd-9e8f-abcdef012345/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/api-staging using policy api-policy in resource group rg-prod and vault backup-vault."
Parameter Required or optional Description
Datasource ID Required The data source identifier. For VMs, disks, and file shares, use the Resource Manager resource ID (for example, '/subscriptions/.../virtualMachines/myvm'). For in-guest workloads protected by a Recovery Services vault, use the protectable item name from the protectable items list (for example, 'SAPHanaDatabase;instance;dbname').
Policy name Required The name of the backup policy.
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the backup vault. Use the Recovery Services vault name for RSV scenarios.
AKS excluded namespaces Optional Comma-separated list of namespaces to exclude from the AKS backup policy default scope. DPP AKS only.
AKS include cluster scope resources Optional Include cluster-scoped resources in the AKS backup policy. DPP AKS only.
AKS included namespaces Optional Comma-separated list of namespaces to include in the AKS backup policy default scope. DPP AKS only.
AKS label selectors Optional Comma-separated label selectors (for example, app=frontend,tier=web) applied to the AKS backup policy default scope. DPP AKS only.
AKS snapshot resource group Optional Resource group used to store AKS volume snapshots created by Backup. DPP AKS only.
Container name Optional The Recovery Services vault protection container name. Applies to Recovery Services vaults only.
Datasource type Optional The workload type hint. Supported Recovery Services vault types include VM, SQL, SAPHANA, SAPASE, and AzureFileShare. Supported Backup vault (DPP) types include AzureDisk, AzureBlob, AKS, ElasticSAN, PostgreSQLFlexible, ADLS, and CosmosDB. The parameter also accepts common aliases such as AzureVM and SQLDatabase.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere.

Tool annotation hints:

Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Protected item: Restore soft-delete item

This tool restores a soft-deleted backup item to an active protection state. It helps you recover accidentally deleted backups or protected items. For Recovery Services vaults, specify the data source Resource Manager resource ID with the datasource-id parameter. For Backup vaults, specify the data source Resource Manager resource ID with the datasource-id parameter. Optionally, specify the container parameter for Recovery Services vault workload items such as SQL or SAP HANA. The operation runs asynchronously, and you monitor progress with azurebackup job get.

Example prompts include:

  • "Undelete protected item with data source ID /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/myvm, resource group rg-backups, and vault name rsv-vault-prod."
  • "Undelete protected item for data source ID SAPHanaDatabase;instance01;db01 in resource group prod-backups and vault name rsv-vault-prod with container sql-container-01."
  • "Please undelete the protected item for data source ID /subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-dpp/providers/Microsoft.Storage/storageAccounts/mydata/fileServices/default/shares/backupshare, resource group rg-dpp, and vault name backupvault01."
  • "Can you undelete the protected item for data source ID /subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/web-rg/providers/Microsoft.Compute/virtualMachines/webapp-prod in resource group web-rg from vault name rsv-vault-staging?"
  • "Undelete protected item with data source ID SAPHanaDatabase;instance02;db02, resource group rg-sql, vault name rsv-vault-eu, and vault type rsv."
Parameter Required or optional Description
Datasource ID Required The data source identifier. For VM, FileShare, or DPP workloads, use the Resource Manager resource ID (for example, '/subscriptions/.../virtualMachines/myvm'). For RSV in-guest workloads (SQL/SAPHANA), use the protectable item name from protectableitem list (for example, 'SAPHanaDatabase;instance;dbname').
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Container name Optional The protection container name for Recovery Services vaults.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Recovery point: Get recovery point information

This tool retrieves recovery point information for a protected item. When you specify the recovery point, the tool returns detailed information about that recovery point, including time and type. When you omit the recovery point, the tool lists all available recovery points for the protected item.

Example prompts include:

  • "List all recovery points for protected item vm-prod-01 in resource group rg-prod-backup and vault name vault-prod."
  • "Get recovery point rp-2025-01-15T02:00:00Z for protected item db-backup-02 in resource group rg-db from vault name db-vault with container rsv-container and vault type rsv."
  • "What recovery points are available for protected item fileshare01 in resource group rg-files under vault name backup-vault?"
  • "Show details for recovery point rp-2026-05-01-08 of protected item appservice-backup in resource group rg-apps and vault name app-vault with vault type dpp."
  • "Display the command options using --learn for protected item vm-test in resource group rg-test and vault name test-vault."
Parameter Required or optional Description
Protected item name Required The name of the protected item or backup instance.
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Container name Optional The Recovery Services vault protection container name. Applies to Recovery Services vaults only.
Recovery point ID Optional The recovery point ID.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Security: Configure encryption

This tool configures customer-managed key (CMK) encryption on a backup vault by using a key from Azure Key Vault. Both Recovery Services vaults and Backup vaults (DPP) are supported. The vault's managed identity must have the Key Vault Crypto Service Encryption User role on the key vault. Use identity-type to specify SystemAssigned or UserAssigned identity. Provide user-assigned-identity-id when you use a user-assigned identity.

Example prompts include:

  • "Configure CMK encryption on vault rsv-prod in resource group rg-backup using key backup-key from key vault https://kv-security-prod.vault.azure.net/ with system-assigned identity."
  • "Set up customer-managed key encryption on vault dpp-vault-west in resource group rg-west with key vault URI https://kv-compliance.vault.azure.net/, key name cmk-backup, and user-assigned identity /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/backup-identity."
  • "Enable CMK encryption on vault rsv-staging in resource group rg-staging using key staging-key version abc123 from https://kv-staging.vault.azure.net/ with vault type rsv."
  • "Configure encryption for vault backup-vault-eus in resource group rg-dr with key vault URI https://kv-dr.vault.azure.net/, key name dr-key, and identity type SystemAssigned."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Key vault URI Required Key Vault URI (for example, https://kv-security-prod.vault.azure.net/).
Key name Required The name of the encryption key in the key vault.
Identity type Required Managed identity type: SystemAssigned, UserAssigned, or None.
Key version Optional Specific key version. Omit to always use the latest version.
User assigned identity ID Optional Resource Manager resource ID of the user-assigned managed identity for Key Vault access. Required when identity type is UserAssigned.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Security: Configure multiuser authorization

This tool configures MUA on a backup vault by linking or unlinking a Resource Guard instance. Provide a Resource Guard ID to enable MUA, which protects critical operations such as disabling soft delete, removing immutability, and stopping protection. These operations require approval from a security admin with permissions on the Resource Guard instance. Omit the Resource Guard ID to disable MUA. Disabling MUA is a protected operation that requires the Backup MUA Operator role on the Resource Guard instance.

Example prompts include:

  • "Enable MUA on vault rsv-prod in resource group rg-backup with Resource Guard ID /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-security/providers/Microsoft.DataProtection/resourceGuards/myGuard."
  • "Configure multi-user authorization for vault backup-vault-eus in resource group rg-dr by linking Resource Guard /subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-compliance/providers/Microsoft.DataProtection/resourceGuards/complianceGuard."
  • "Disable MUA on vault rsv-staging in resource group rg-staging with vault type rsv."
  • "Link Resource Guard to vault dpp-vault-west in resource group rg-west with vault type dpp and Resource Guard ID /subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/rg-guards/providers/Microsoft.DataProtection/resourceGuards/westGuard."
  • "Show available options for azurebackup security configure-mua with vault help-vault in resource group rg-help and --learn."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Resource Guard ID Optional Resource Manager resource ID of the Resource Guard instance to link for MUA (for example, /subscriptions/.../resourceGroups/.../providers/Microsoft.DataProtection/resourceGuards/myGuard).
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Vault: Create backup vault

This tool creates a new backup vault. Specify the vault type as rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). For dpp vaults, the tool enables a system-assigned managed identity by default. The vault can authenticate to protected data sources such as storage accounts, disks, and PostgreSQL flexible servers. You can change the identity type later. After creation, the tool returns the vault details.

Example prompts include:

  • "Create a vault with vault name rsv-vault-prod in resource group rg-prod-backup at location eastus with vault type rsv."
  • "Create a backup vault with vault name dpp-vault-staging in resource group rg-staging at location westus2 and storage type GeoRedundant."
  • "Can you create a vault with vault name vault-eastus-01 in resource group rg-dev at location eastus using SKU Standard?"
  • "Create vault name archive-vault in resource group rg-archive at location centralus with vault type rsv and storage type LocallyRedundant."
  • "Show available options for azurebackup vault create with location eastus, resource group rg-prod-backup, vault name rsv-vault-prod, and --learn."
Parameter Required or optional Description
Location Required The Azure region, for example, eastus or westus2.
Resource group Required The name of the Azure resource group.
Vault name Required The name of the Recovery Services vault or Backup vault.
SKU Optional The vault SKU.
Storage type Optional Storage redundancy: GeoRedundant, LocallyRedundant, or ZoneRedundant.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌

Vault: Get backup vault

This tool retrieves backup vault information. When you specify a vault and a resource group, the tool returns detailed information about that vault, including vault type, location, SKU, and storage redundancy. If you omit those parameters, the tool lists all backup vaults in the subscription, including Recovery Services vaults and Backup vaults (Data Protection Platform). To narrow the list, filter results by vault type rsv or dpp, or by resource group.

Example prompts include:

  • "List all backup vaults in my subscription."
  • "Get details for vault backup-vault-prod in resource group rg-prod."
  • "Show all backup vaults with vault type rsv."
  • "Run azurebackup vault get with --learn to list available subcommands and parameters."
  • "What backup vaults are in resource group rg-test with vault type dpp?"
Parameter Required or optional Description
Vault name Optional The name of the Recovery Services vault or Backup vault.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌

Vault: Update vault settings

This tool updates vault-level settings for a Recovery Services vault or Backup vault. You can change storage redundancy, enable or disable soft delete, configure immutability, and set the managed identity type.

Example prompts include:

  • "Update vault name rsv-main in resource group rg-backup-prod to redundancy ZoneRedundant, soft delete AlwaysOn, and soft delete retention days 30."
  • "Enable identity type SystemAssigned for vault name backup-vault-eus in resource group rg-dr and add tags {"env":"prod","owner":"backup"}."
  • "Set immutability state Locked on vault name rsv-compliance in resource group rg-compliance and specify vault type dpp."
  • "Can you update vault name vault-test in resource group rg-test to identity type None, immutability state Disabled, and redundancy LocallyRedundant?"
  • "Show learn --learn for azurebackup vault update on vault name help-vault in resource group rg-help."
Parameter Required or optional Description
Resource group Required The name of the Azure resource group. This resource group is a logical container for Azure resources.
Vault name Required The name of the Recovery Services vault or Backup vault.
Identity type Optional Managed identity type: SystemAssigned, UserAssigned, or None.
Immutability state Optional Immutability state: Disabled, Enabled, or Locked (irreversible).
Redundancy type Optional Storage redundancy: GeoRedundant, LocallyRedundant, ZoneRedundant, or ReadAccessGeoZoneRedundant.
Soft delete state Optional Soft delete state: AlwaysOn, On, or Off.
Soft delete retention days Optional Soft delete retention period (14 to 180 days).
Tags Optional Resource tags as a JSON key/value object.
Vault type Optional The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted).

Tool annotation hints:

Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌