Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you use Azure MCP Server, you can manage Azure Backup resources through natural language prompts by using the Model Context Protocol (MCP). You can create and configure backup vaults, define and update backup policies, and protect and undelete items. You can also manage governance settings like soft delete and immutability, configure multiuser authorization (MUA), and monitor backup jobs and recovery points.
Azure Backup provides cloud-based capabilities for your applications. For more information, see the Azure Backup documentation.
Note
Tool parameters: The Azure MCP Server tools define parameters for data they need to complete tasks. Some of these parameters are specific to each tool and are documented here. Other parameters are global and shared by all tools. For more information, see Tool parameters.
Backup: Get status
This tool checks the backup status of an Azure resource through Azure Backup. It returns information on whether the resource is protected, along with vault and policy details. Use it to verify whether a virtual machine, disk, storage account, or other data source is currently backed up. It requires the Azure Resource Manager resource ID for the data source and the Azure region where the resource exists.
Example prompts include:
- "Is the virtual machine (VM) protected for data source ID
/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/webvmin locationeastus?" - "Check backup status for data source ID
/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-backup/providers/Microsoft.Compute/disks/dataDisk1in locationwestus2." - "Get the protection details for data source ID
/subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/rg-storage/providers/Microsoft.Storage/storageAccounts/mystorageacctin locationcentralus." - "Verify protection for data source ID
SAPHanaDatabase;instance;ProdDBin locationeastus2." - "Show available subcommands and parameters for the backup status check for data source ID
/subscriptions/44444444-4444-4444-4444-444444444444/resourceGroups/rg-app/providers/Microsoft.Web/sites/mywebappin locationeastuswith--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Datasource ID | Required | The data source identifier. For VM, FileShare, or DPP workloads, provide the Azure Resource Manager resource ID. For example, /subscriptions/.../virtualMachines/myvm. For Recovery Services vault (RSV) in-guest workloads, such as SQL or SAP HANA, provide the protectable item name returned by protectableitem list. For example, SAPHanaDatabase;instance;dbname. |
| Location | Required | The Azure region. For example, eastus or westus2. |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Disaster recovery: Enable cross-region restore
This tool enables cross-region restore on a geo-redundant storage-enabled backup vault. It activates cross-region restore so that you can recover backups from a secondary region.
Example prompts include:
- "Enable Cross-Region Restore for vault name
backup-vault-prodin resource grouprg-prod." - "Enable Cross-Region Restore on Recovery Services vault
rsv-backupin resource grouprg-disasterwith vault typersv." - "How do I run
enable-crrfor vaultsite-backupin resource grouprg-stagingusing--learn?" - "Enable CRR for vault
dr-vault-eastin resource grouprg-euswith vault typedpp." - "Run
azurebackup disasterrecovery enable-crrfor vault namebackupvault01in resource grouprg-apps."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group that contains the vault. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault on Data Protection Platform (DPP). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Governance: List resources without backup policy
This tool scans your subscription and lists Azure resources that aren't protected by any Azure Backup policy. You can filter results by resource type, resource group, or tags. For example, find unprotected resources in the resource group rg-prod, or find unprotected VMs with the tag environment=production.
Example prompts include:
- "Find all resources in my subscription that aren't protected by any backup policy."
- "Find unprotected resources with resource type filter
Microsoft.Compute/virtualMachines,Microsoft.Sql/servers." - "List unprotected resources with tag filter
environment=production." - "Show unprotected resources with resource type filter
Microsoft.Storage/storageAccountsand tag filterbackup=required." - "Show available subcommands and parameters using Learn
--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource type filter | Optional | Resource types to filter, comma-separated. |
| Tag filter | Optional | Tag-based filter in key=value format (for example, environment=production). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Governance: Configure immutability state
This tool configures the immutability state for a backup vault. Set the state to Disabled, Enabled, or Locked. Warning: Locked is irreversible.
Example prompts include:
- "Set immutability state
Enabledfor vault namebackup-vaultin resource grouprg-prod." - "Enable immutability state
Lockedfor vault namersv-vault-01in resource grouprg-secure." - "Change immutability state
Disabledfor vault namedppvault1in resource grouprg-dev." - "Can you set immutability state
Enabledfor vault nameprod-backupin resource grouprg-productionwith vault typersv?" - "Show immutability subcommands with
--learnfor vault nametest-vaultin resource grouprg-test."
| Parameter | Required or optional | Description |
|---|---|---|
| Immutability state | Required | Immutability state: Disabled, Enabled, or Locked (irreversible). |
| Resource group | Required | The name of the Azure resource group that contains the vault. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Governance: Configure soft delete
This tool configures soft-delete settings for a backup vault. Set the soft-delete state to AlwaysOn, On, or Off. You can optionally specify the soft-delete retention period in days (14 to 180). For example, enable soft delete On with a 30-day retention for the vault contosoBackupVault in the resource group rg-backup.
Example prompts include:
- "Enable soft delete
AlwaysOnfor vault namebackup-vault-prodin resource grouprg-prodwith soft delete retention days90." - "Turn soft delete
Offfor vault namersv-mainin resource grouprg-backups." - "Can you set soft delete
Onfor vault namedpp-vaultin resource grouprg-devwith vault typedppand soft delete retention days30?" - "Show me help for soft-delete with resource group
rg-tools, vault namebackup-vault-test, and soft deleteOnusing--learn." - "Configure soft delete
Onfor vault namers-vault-prodin resource grouprg-prodand specify vault typersv."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group that contains the vault. |
| Soft delete | Required | Soft-delete state: AlwaysOn, On, or Off. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Soft delete retention days | Optional | Soft-delete retention period in days. Range: 14 to 180. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Job: Get backup job information
This tool retrieves backup job information from a vault. When you specify the job ID, the tool returns detailed information about that job. The information includes operation type, status, start and end times, error codes, and data source details. When you omit the job ID, the tool lists all backup jobs in the vault.
Example prompts include:
- "List all backup jobs in resource group
rg-backup-prodfor vaultrsv-prod-vault." - "Get backup job
job-9f7c3a2bin resource grouprg-backup-prodfrom vaultrsv-prod-vault." - "What is the status of job
d3b2e7f4in vaultbackupvault-euswithin resource grouprg-eus-backup?" - "Show command options for
azurebackup job getin resource grouprg-backup-devfor vaultdev-backup-vaultwith--learn." - "List all backup jobs in resource group
rg-dpp-testfor vaultdpp-test-vaultwith vault typedpp."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group that contains the vault. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Job ID | Optional | The backup job ID. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Policy: Create backup policy
This tool creates a backup policy for a specified workload type and lets you set schedule and retention rules.
Example prompts include:
- "Create backup policy
daily-vm-policyin resource grouprg-prodfor vaultrsv-vault-westwith workload typeVM." - "I need a backup policy
sql-weekly-policyin resource grouprg-dbfor vaultdb-backupstargeting workload typeSQLwith daily retention days30and schedule time03:00." - "Can you create policy
aks-backupin resource grouprg-aksfor vaultdpp-aks-vaultwith workload typeAKSand vault typedpp?" - "Create policy
azureblob-monthlyin resource grouprg-storagefor vaultblob-backupswith workload typeAzureBloband daily retention days7." - "Create backup policy
flexible-pg-policyin resource grouprg-datafor vaultdpp-data-vaultwith workload typePostgreSQLFlexible."
| Parameter | Required or optional | Description |
|---|---|---|
| Policy name | Required | The name of the backup policy. |
| Resource group | Required | The name of the Azure resource group, a logical container for related resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Workload type | Required | Workload type: VM, SQL, SAPHANA, SAPASE, AzureFileShare (RSV types) or AzureDisk, AzureBlob, AKS, ElasticSAN, PostgreSQLFlexible, ADLS, CosmosDB (DPP types). Also accepts aliases like AzureVM and SQLDatabase. |
| Archive tier after days | Optional | Move recovery points to the archive tier after specified days. Pair with --archive-tier-mode. |
| Archive tier mode | Optional | Archive tiering mode: TierAfter (always tier after --archive-tier-after-days) or CopyOnExpiry (copy to archive when the recovery point expires). Use --smart-tier for service-recommended tiering. |
| Backup mode | Optional | Backup mode for storage workloads: Continuous (default for AzureBlob, ADLS) or Vaulted (discrete recovery points). DPP AzureBlob, AzureDataLakeStorage. |
| Daily retention days | Optional | Daily recovery point retention in days. Defaults to the data source-specific value if omitted. |
| Differential retention days | Optional | Retention period in days for Differential backups. RSV VmWorkload only. |
| Differential schedule days of week | Optional | Comma-separated days of the week for the Differential backup (for example, Monday,Thursday). RSV VmWorkload only. |
| Enable snapshot backup | Optional | Enable snapshot/instance backups (HANA System Replication snapshot recovery points). RSV SAPHANA only. |
| Enable vault tier copy | Optional | Enable vault-tier copy of operational store backups. DPP AzureDisk only. |
| Full schedule days of week | Optional | Comma-separated days of the week for the Full backup (for example, Sunday). Required when --full-schedule-frequency is Weekly. RSV VmWorkload only. |
| Full schedule frequency | Optional | Full backup schedule frequency for SQL/SAPHANA/SAPASE: Daily or Weekly. RSV VmWorkload only. |
| Hourly interval hours | Optional | Interval in hours between hourly backups. Valid values: 4, 6, 8, 12. Used only when --schedule-frequency is Hourly (RSV). |
| Hourly window duration hours | Optional | Duration of the hourly backup window in hours (for example, 12). Used only when --schedule-frequency is Hourly (RSV). |
| Hourly window start time | Optional | Start time of the hourly backup window in 24h HH:mm format (for example, 08:00). Used only when --schedule-frequency is Hourly (RSV). |
| Incremental retention days | Optional | Retention period in days for Incremental backups. RSV SAPHANA / SAPASE only. |
| Incremental schedule days of week | Optional | Comma-separated days of the week for the Incremental backup. RSV SAPHANA / SAPASE only. |
| Instant recovery-point resource group | Optional | Resource group that hosts the instant recovery point snapshots. RSV VM only. |
| Instant recovery-point retention days | Optional | Instant recovery point retention in days (1 to 30 for Standard, 1 to 7 for Enhanced). RSV VM only. |
| Is compression | Optional | Enable backup compression at the policy level. RSV VmWorkload only. |
| Is SQL compression | Optional | Enable SQL Server on VM native backup compression. RSV SQL only. |
| Log frequency minutes | Optional | Transaction log backup frequency in minutes (for example, 15, 30, 60). RSV VmWorkload only. |
| Log retention days | Optional | Retention period in days for transaction log backups. RSV VmWorkload only. |
| Monthly retention days of month | Optional | Comma-separated days of the month for monthly retention (1 to 28 or Last; for example, 1,15,Last). Absolute scheme. Mutually exclusive with --monthly-retention-week-of-month. |
| Monthly retention days of week | Optional | Comma-separated days of the week for the monthly retention tag (for example, Sunday). Use with --monthly-retention-week-of-month (relative scheme). |
| Monthly retention months | Optional | Number of months to keep monthly recovery points. Combine with either --monthly-retention-days-of-month (absolute) or --monthly-retention-week-of-month + --monthly-retention-days-of-week (relative). |
| Monthly retention week of month | Optional | Which week of the month to tag for monthly retention: First, Second, Third, Fourth, or Last. Use with --monthly-retention-days-of-week (relative scheme). |
| PITR retention days | Optional | Point-in-time restore retention in days for continuous backups. DPP AzureBlob, AzureDataLakeStorage. |
| Policy subtype | Optional | RSV VM policy subtype: Standard or Enhanced. Enhanced is required for hourly schedules and Trusted Launch VMs. RSV VM only. |
| Policy tags | Optional | Resource tags applied to the RSV backup policy as k1=v1,k2=v2. RSV only. |
| Schedule days of week | Optional | Comma-separated days of the week that the backup should run (for example, Monday,Wednesday,Friday). Required for Weekly schedules. |
| Schedule frequency | Optional | Backup schedule frequency. Recovery Services vaults accept Daily, Weekly, or Hourly. Backup vaults accept ISO 8601 intervals: PT4H, PT6H, PT8H, PT12H, P1D, P1W, P2W, or P1M. |
| Schedule time | Optional | Comma-separated list of backup times in 24h HH:mm format (for example, 02:00 or 02:00,14:00). Interpreted in --time-zone. Defaults to 02:00 UTC if not specified. |
| Smart tier | Optional | Enable smart-tiering (machine learning-based archive recommendation). RSV VM only. |
| Snapshot consistency | Optional | Snapshot consistency mode for VM backups: ApplicationConsistent or CrashConsistent. RSV VM only. |
| Snapshot instant recovery-point resource group | Optional | Resource group prefix for snapshot instant recovery points. RSV SAPHANA snapshot only. |
| Snapshot instant recovery-point retention days | Optional | Snapshot instant recovery-point retention range in days. RSV SAPHANA snapshot only. |
| Time zone | Optional | Windows time-zone identifier for the backup schedule (for example, UTC, Pacific Standard Time). If omitted, the schedule runs in UTC. |
| Vault tier copy after days | Optional | Days after which an operational backup is copied to the vault tier. DPP AzureDisk only. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
| Weekly retention days of week | Optional | Comma-separated days of the week tagged for weekly retention (for example, Sunday). Required alongside --weekly-retention-weeks. |
| Weekly retention weeks | Optional | Number of weeks to keep weekly recovery points. Required alongside --weekly-retention-days-of-week. |
| Yearly retention days of month | Optional | Comma-separated days of the selected months for yearly retention (1 to 28 or Last). Absolute scheme. Mutually exclusive with --yearly-retention-week-of-month. |
| Yearly retention days of week | Optional | Comma-separated days of the week for the yearly retention tag (for example, Sunday). Use with --yearly-retention-week-of-month (relative scheme). |
| Yearly retention months | Optional | Comma-separated months tagged for yearly retention (for example, January or January,July). |
| Yearly retention week of month | Optional | Which week of the selected months to tag for yearly retention: First, Second, Third, Fourth, or Last. Use with --yearly-retention-days-of-week (relative scheme). |
| Yearly retention years | Optional | Number of years to keep yearly recovery points. Combine with --yearly-retention-months and either --yearly-retention-days-of-month (absolute) or --yearly-retention-week-of-month + --yearly-retention-days-of-week (relative). |
Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Policy: Get policy
This tool retrieves backup policy information. The tool provides detailed information for a single policy when you specify the policy parameter. When you omit the policy parameter, the tool lists all the backup policies configured in the vault.
Example prompts include:
- "List all backup policies in resource group
rg-prodfor vaultbackup-vault." - "Get details of policy
DailyBackupin resource grouprg-appfrom vaultapp-backup." - "What's the configuration for policy
WeeklyRetentionin resource grouprg-archiveon vaultarchive-vaultwith vault typersv?" - "Show all backup policies in resource group
rg-toolsfor vaulttool-vaultwith--learn." - "Retrieve full information for policy
SQLServerPolicyin resource grouprg-databasesfrom vaultdb-backup, including data source types and protected item counts."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group that contains the vault. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Policy name | Optional | The name of the backup policy. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Policy: Update policy
This tool modifies an existing Recovery Services vault backup policy. You can update the backup schedule time and daily retention days for VM, SQL, SAP HANA, and file share workload policies. The named policy must already exist in the vault.
Example prompts include:
- "Update backup policy
daily-vm-policyin resource grouprg-prodfor vaultrsv-vault-westwith schedule time04:00." - "Change daily retention days to
60for policysql-weekly-policyin resource grouprg-dbon vaultdb-backups." - "Update schedule time to
02:00and daily retention days to30for policyfileshare-policyin resource grouprg-storageon vaultstorage-vault." - "Modify backup policy
sap-policyin resource grouprg-sapfor vaultsap-backup-vaultwith vault typersvand schedule time06:00." - "Show learn options for
azurebackup policy updatewith policyhelp-policyin resource grouprg-helpand vaulthelp-vaultand--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Policy name | Required | The name of the backup policy. |
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Daily retention days | Optional | Daily recovery point retention in days. Defaults to the data source-specific value if omitted. |
| Schedule time | Optional | Backup time in UTC (for example, 02:00). |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Protectable item: List protectable items
This tool lists items that you can back up (protectable items) in a Recovery Services vault. Examples include SQL databases and SAP HANA databases that the tool discovers on registered VMs. Use the tool to find databases and workloads available for backup protection. This tool supports Recovery Services vaults only. Data Protection Platform data sources use Resource Manager resource IDs for protection. Filter results by workload type, such as SQL or SAP HANA, or by container.
Example prompts include:
- "List all protectable items in resource group
rg-prodand vault namersv-backup-vault." - "List protectable items with workload type
SQLin resource grouprg-dataand vault namebackup-vault-east." - "Show protectable items in container
iaasvmcontainer-01for resource grouprg-prd-backupand vault namersv-prod-vault." - "What protectable VMs are available with workload type
VMand vault typersvin resource grouprg-stagingand vault namestaging-backup-vault?" - "Show command options with
--learnforazurebackup protectableitem listin resource grouprg-toolsand vault nametools-rsv-vault."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Container name | Optional | The Recovery Services vault protection container name. Applies to Recovery Services vaults only. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
| Workload type | Optional | Workload types for Recovery Services vaults include VM, SQL, SAPHANA (SAP HANA), SAPASE, and AzureFileShare. Workload types for DPP include AzureDisk, AzureBlob, AKS (Azure Kubernetes Service), ElasticSAN, PostgreSQLFlexible, ADLS (Azure Data Lake Storage), and CosmosDB. The parameter also accepts aliases like AzureVM and SQLDatabase. |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Protected item: Get information
Retrieves protected item information from a backup vault.
This tool returns detailed information about a single backup instance when you specify the protected item. Details include protection status, data source information, policy assignment, and last backup time. Specify the container for Recovery Services vault items. When you omit the protected item, the tool lists all protected items (backup instances) in the vault.
Example prompts include:
- "List all protected items in resource group
rg-prodand vault namersv-vault." - "Get protected item
vm-prod-01in containerrsv-container-01for resource grouprg-prodand vault namersv-vault." - "Retrieve protected item
db-backup-2026from resource grouprg-dppand vault namedpp-vaultwith vault typedpp." - "What protected items are in resource group
prod-rgand vault namebackup-vault?" - "Show command options for
azurebackup protecteditem getin resource grouprg-prodand vault namersv-vaultwith--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Container name | Optional | The Recovery Services vault protection container name. Applies to Recovery Services vaults only. |
| Protected item | Optional | The name of the protected item or backup instance. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Protected item: Configure backup protection
Configure backup protection for an Azure resource by creating a protected item or a backup instance. This tool protects VMs, disks, file shares, SQL databases, SAP HANA databases, and other supported data sources. For VMs, provide the VM Resource Manager resource ID as Datasource ID. For SQL and SAP HANA workloads, specify the protectable item name as Datasource ID (for example, SAPHanaDatabase;instance;dbname) and specify the Container name. Specify the backup policy with the Policy parameter. The operation runs asynchronously, so monitor the protection job until it finishes.
Example prompts include:
- "Protect data source ID
/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/webapp-prodwith policydaily-policyin resource groupprod-rgand vaultbackup-vault." - "Enable protection for data source ID
MSSQLDatabase;sqlserver01;salesdbusing policyweekly-sql-policyin resource grouprg-sqland vaultrsv-vault, containersql-container." - "Create protection for data source ID
/subscriptions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa/resourceGroups/rg-storage/providers/Microsoft.Compute/disks/data-disk1with policydisk-backup-policyin resource grouprg-storageand vaultdpp-vault, data source typeAzureDisk." - "Can you protect data source ID
SAPHanaDatabase;HANA01;db01with policyhana-policyin resource grouprg-hanaand vaultrsv-hanaand containerhana-container?" - "Start protection for data source ID
/subscriptions/9f8b7c6d-1234-4bcd-9e8f-abcdef012345/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/api-stagingusing policyapi-policyin resource grouprg-prodand vaultbackup-vault."
| Parameter | Required or optional | Description |
|---|---|---|
| Datasource ID | Required | The data source identifier. For VMs, disks, and file shares, use the Resource Manager resource ID (for example, '/subscriptions/.../virtualMachines/myvm'). For in-guest workloads protected by a Recovery Services vault, use the protectable item name from the protectable items list (for example, 'SAPHanaDatabase;instance;dbname'). |
| Policy name | Required | The name of the backup policy. |
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the backup vault. Use the Recovery Services vault name for RSV scenarios. |
| AKS excluded namespaces | Optional | Comma-separated list of namespaces to exclude from the AKS backup policy default scope. DPP AKS only. |
| AKS include cluster scope resources | Optional | Include cluster-scoped resources in the AKS backup policy. DPP AKS only. |
| AKS included namespaces | Optional | Comma-separated list of namespaces to include in the AKS backup policy default scope. DPP AKS only. |
| AKS label selectors | Optional | Comma-separated label selectors (for example, app=frontend,tier=web) applied to the AKS backup policy default scope. DPP AKS only. |
| AKS snapshot resource group | Optional | Resource group used to store AKS volume snapshots created by Backup. DPP AKS only. |
| Container name | Optional | The Recovery Services vault protection container name. Applies to Recovery Services vaults only. |
| Datasource type | Optional | The workload type hint. Supported Recovery Services vault types include VM, SQL, SAPHANA, SAPASE, and AzureFileShare. Supported Backup vault (DPP) types include AzureDisk, AzureBlob, AKS, ElasticSAN, PostgreSQLFlexible, ADLS, and CosmosDB. The parameter also accepts common aliases such as AzureVM and SQLDatabase. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere. |
Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Protected item: Restore soft-delete item
This tool restores a soft-deleted backup item to an active protection state. It helps you recover accidentally deleted backups or protected items. For Recovery Services vaults, specify the data source Resource Manager resource ID with the datasource-id parameter. For Backup vaults, specify the data source Resource Manager resource ID with the datasource-id parameter. Optionally, specify the container parameter for Recovery Services vault workload items such as SQL or SAP HANA. The operation runs asynchronously, and you monitor progress with azurebackup job get.
Example prompts include:
- "Undelete protected item with data source ID
/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/myvm, resource grouprg-backups, and vault namersv-vault-prod." - "Undelete protected item for data source ID
SAPHanaDatabase;instance01;db01in resource groupprod-backupsand vault namersv-vault-prodwith containersql-container-01." - "Please undelete the protected item for data source ID
/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-dpp/providers/Microsoft.Storage/storageAccounts/mydata/fileServices/default/shares/backupshare, resource grouprg-dpp, and vault namebackupvault01." - "Can you undelete the protected item for data source ID
/subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/web-rg/providers/Microsoft.Compute/virtualMachines/webapp-prodin resource groupweb-rgfrom vault namersv-vault-staging?" - "Undelete protected item with data source ID
SAPHanaDatabase;instance02;db02, resource grouprg-sql, vault namersv-vault-eu, and vault typersv."
| Parameter | Required or optional | Description |
|---|---|---|
| Datasource ID | Required | The data source identifier. For VM, FileShare, or DPP workloads, use the Resource Manager resource ID (for example, '/subscriptions/.../virtualMachines/myvm'). For RSV in-guest workloads (SQL/SAPHANA), use the protectable item name from protectableitem list (for example, 'SAPHanaDatabase;instance;dbname'). |
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Container name | Optional | The protection container name for Recovery Services vaults. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Recovery point: Get recovery point information
This tool retrieves recovery point information for a protected item. When you specify the recovery point, the tool returns detailed information about that recovery point, including time and type. When you omit the recovery point, the tool lists all available recovery points for the protected item.
Example prompts include:
- "List all recovery points for protected item
vm-prod-01in resource grouprg-prod-backupand vault namevault-prod." - "Get recovery point
rp-2025-01-15T02:00:00Zfor protected itemdb-backup-02in resource grouprg-dbfrom vault namedb-vaultwith containerrsv-containerand vault typersv." - "What recovery points are available for protected item
fileshare01in resource grouprg-filesunder vault namebackup-vault?" - "Show details for recovery point
rp-2026-05-01-08of protected itemappservice-backupin resource grouprg-appsand vault nameapp-vaultwith vault typedpp." - "Display the command options using
--learnfor protected itemvm-testin resource grouprg-testand vault nametest-vault."
| Parameter | Required or optional | Description |
|---|---|---|
| Protected item name | Required | The name of the protected item or backup instance. |
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Container name | Optional | The Recovery Services vault protection container name. Applies to Recovery Services vaults only. |
| Recovery point ID | Optional | The recovery point ID. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Security: Configure encryption
This tool configures customer-managed key (CMK) encryption on a backup vault by using a key from Azure Key Vault. Both Recovery Services vaults and Backup vaults (DPP) are supported. The vault's managed identity must have the Key Vault Crypto Service Encryption User role on the key vault. Use identity-type to specify SystemAssigned or UserAssigned identity. Provide user-assigned-identity-id when you use a user-assigned identity.
Example prompts include:
- "Configure CMK encryption on vault
rsv-prodin resource grouprg-backupusing keybackup-keyfrom key vaulthttps://kv-security-prod.vault.azure.net/with system-assigned identity." - "Set up customer-managed key encryption on vault
dpp-vault-westin resource grouprg-westwith key vault URIhttps://kv-compliance.vault.azure.net/, key namecmk-backup, and user-assigned identity/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/backup-identity." - "Enable CMK encryption on vault
rsv-stagingin resource grouprg-stagingusing keystaging-keyversionabc123fromhttps://kv-staging.vault.azure.net/with vault typersv." - "Configure encryption for vault
backup-vault-eusin resource grouprg-drwith key vault URIhttps://kv-dr.vault.azure.net/, key namedr-key, and identity typeSystemAssigned."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Key vault URI | Required | Key Vault URI (for example, https://kv-security-prod.vault.azure.net/). |
| Key name | Required | The name of the encryption key in the key vault. |
| Identity type | Required | Managed identity type: SystemAssigned, UserAssigned, or None. |
| Key version | Optional | Specific key version. Omit to always use the latest version. |
| User assigned identity ID | Optional | Resource Manager resource ID of the user-assigned managed identity for Key Vault access. Required when identity type is UserAssigned. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Security: Configure multiuser authorization
This tool configures MUA on a backup vault by linking or unlinking a Resource Guard instance. Provide a Resource Guard ID to enable MUA, which protects critical operations such as disabling soft delete, removing immutability, and stopping protection. These operations require approval from a security admin with permissions on the Resource Guard instance. Omit the Resource Guard ID to disable MUA. Disabling MUA is a protected operation that requires the Backup MUA Operator role on the Resource Guard instance.
Example prompts include:
- "Enable MUA on vault
rsv-prodin resource grouprg-backupwith Resource Guard ID/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/rg-security/providers/Microsoft.DataProtection/resourceGuards/myGuard." - "Configure multi-user authorization for vault
backup-vault-eusin resource grouprg-drby linking Resource Guard/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/rg-compliance/providers/Microsoft.DataProtection/resourceGuards/complianceGuard." - "Disable MUA on vault
rsv-stagingin resource grouprg-stagingwith vault typersv." - "Link Resource Guard to vault
dpp-vault-westin resource grouprg-westwith vault typedppand Resource Guard ID/subscriptions/33333333-3333-3333-3333-333333333333/resourceGroups/rg-guards/providers/Microsoft.DataProtection/resourceGuards/westGuard." - "Show available options for
azurebackup security configure-muawith vaulthelp-vaultin resource grouprg-helpand--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Resource Guard ID | Optional | Resource Manager resource ID of the Resource Guard instance to link for MUA (for example, /subscriptions/.../resourceGroups/.../providers/Microsoft.DataProtection/resourceGuards/myGuard). |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Vault: Create backup vault
This tool creates a new backup vault. Specify the vault type as rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). For dpp vaults, the tool enables a system-assigned managed identity by default. The vault can authenticate to protected data sources such as storage accounts, disks, and PostgreSQL flexible servers. You can change the identity type later. After creation, the tool returns the vault details.
Example prompts include:
- "Create a vault with vault name
rsv-vault-prodin resource grouprg-prod-backupat locationeastuswith vault typersv." - "Create a backup vault with vault name
dpp-vault-stagingin resource grouprg-stagingat locationwestus2and storage typeGeoRedundant." - "Can you create a vault with vault name
vault-eastus-01in resource grouprg-devat locationeastususing SKUStandard?" - "Create vault name
archive-vaultin resource grouprg-archiveat locationcentraluswith vault typersvand storage typeLocallyRedundant." - "Show available options for
azurebackup vault createwith locationeastus, resource grouprg-prod-backup, vault namersv-vault-prod, and--learn."
| Parameter | Required or optional | Description |
|---|---|---|
| Location | Required | The Azure region, for example, eastus or westus2. |
| Resource group | Required | The name of the Azure resource group. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| SKU | Optional | The vault SKU. |
| Storage type | Optional | Storage redundancy: GeoRedundant, LocallyRedundant, or ZoneRedundant. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ❌ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌
Vault: Get backup vault
This tool retrieves backup vault information. When you specify a vault and a resource group, the tool returns detailed information about that vault, including vault type, location, SKU, and storage redundancy. If you omit those parameters, the tool lists all backup vaults in the subscription, including Recovery Services vaults and Backup vaults (Data Protection Platform). To narrow the list, filter results by vault type rsv or dpp, or by resource group.
Example prompts include:
- "List all backup vaults in my subscription."
- "Get details for vault
backup-vault-prodin resource grouprg-prod." - "Show all backup vaults with vault type
rsv." - "Run
azurebackup vault getwith--learnto list available subcommands and parameters." - "What backup vaults are in resource group
rg-testwith vault typedpp?"
| Parameter | Required or optional | Description |
|---|---|---|
| Vault name | Optional | The name of the Recovery Services vault or Backup vault. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ❌ | Idempotent: ✅ | Open World: ❌ | Read Only: ✅ | Secret: ❌ | Local Required: ❌
Vault: Update vault settings
This tool updates vault-level settings for a Recovery Services vault or Backup vault. You can change storage redundancy, enable or disable soft delete, configure immutability, and set the managed identity type.
Example prompts include:
- "Update vault name
rsv-mainin resource grouprg-backup-prodto redundancyZoneRedundant, soft deleteAlwaysOn, and soft delete retention days30." - "Enable identity type
SystemAssignedfor vault namebackup-vault-eusin resource grouprg-drand add tags{"env":"prod","owner":"backup"}." - "Set immutability state
Lockedon vault namersv-compliancein resource grouprg-complianceand specify vault typedpp." - "Can you update vault name
vault-testin resource grouprg-testto identity typeNone, immutability stateDisabled, and redundancyLocallyRedundant?" - "Show learn
--learnforazurebackup vault updateon vault namehelp-vaultin resource grouprg-help."
| Parameter | Required or optional | Description |
|---|---|---|
| Resource group | Required | The name of the Azure resource group. This resource group is a logical container for Azure resources. |
| Vault name | Required | The name of the Recovery Services vault or Backup vault. |
| Identity type | Optional | Managed identity type: SystemAssigned, UserAssigned, or None. |
| Immutability state | Optional | Immutability state: Disabled, Enabled, or Locked (irreversible). |
| Redundancy type | Optional | Storage redundancy: GeoRedundant, LocallyRedundant, ZoneRedundant, or ReadAccessGeoZoneRedundant. |
| Soft delete state | Optional | Soft delete state: AlwaysOn, On, or Off. |
| Soft delete retention days | Optional | Soft delete retention period (14 to 180 days). |
| Tags | Optional | Resource tags as a JSON key/value object. |
| Vault type | Optional | The type of backup vault: rsv for a Recovery Services vault or dpp for a Backup vault (Data Protection Platform). Required when you create a vault, but optional elsewhere (autodetected if omitted). |
Destructive: ✅ | Idempotent: ✅ | Open World: ❌ | Read Only: ❌ | Secret: ❌ | Local Required: ❌