Policy to disable azure subscription owner from disabling MUA on Azure Recovery vault ?

MyAzQuery 166 Reputation points
2022-09-12T15:01:34.687+00:00

As we know from the link , that there are 2 actors - Security admin and Backup Admin for Azure MUA.

To perform critical operations on the Az Recovery vault, the Security admin has to give contributor permissions to Backup Admin...

But now , a subscription Owner or Contributor , can go and remove the MUA option from the Az Recovery vault.

So can we have a Policy to disable azure subscription owner from disabling MUA on Azure Recovery vault ?

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,246 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 44,506 Reputation points Microsoft Employee
    2022-09-15T11:30:52.493+00:00

    @MyAzQuery If possible, it is advised that you place the resource guard in another subscription or another tenant to address such scenarios that can help you isolate better.

    Would like to understand the policy requirement better- are you looking for a Deny assignment or something like an Azure Policy with Deny effect?

    If you're wanting to deny using policy for azure subscription owner from disabling MUA. Then this is not possible as of today. Because there is a bit of pre-requisite work needed from our end (making MUA settings accessible by Azure Policy) in order to enable customers to write a deny policy for disabling MUA. This is on our roadmap, and we’ll be able to get back on more details around timelines.

    ----------------------------------------------------------------------------------------------------------------------

    If the response helped, do "Accept Answer" and up-vote it

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.