This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 13%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
At University we use Azure Recovery Vaults for storing backups.
We at the university are currently checking our resilience to attacks and was seeking confirmation on the below observations.
• Once a backup exists in a vault, the vault and the backups in the vault cannot be encrypted using CMK.
• The backup in the vault cannot be modified, once written to the vault.
• With the Soft Delete feature enabled any backups that are deleted can be recovered within 14 days.
Aside we are also considering setting up a policy to deny the following at a resource level.
a. Microsoft.RecoveryServices/Vaults/delete
b. microsoft.recoveryservices/Vaults/backupPolicies/delete
c. microsoft.recoveryservices/Vaults/backupconfig/write
d. microsoft.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/delete
How can we achieve such a DENY policy using Azure Policy? or some other mechanism?
We are aware of a custom RBAC permissions model e.g., custom Contributor role, but this will see a longer implementation timeline.
Right now, we are working at a tactical solution to address the need till such time Immutable backs gets rolled out in Australia region.
Hi, Sanin
Q. Once a backup exists in a vault, the vault and the backups in the vault cannot be encrypted using CMK.
A. "This feature allows you to encrypt new Recovery Services vaults only. Any vaults containing existing items registered or attempted to be registered to it aren't supported."
https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal
Q. • The backup in the vault cannot be modified, once written to the vault.
A. Correct, this is offline.
https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices
Q. With the Soft Delete feature enabled any backups that are deleted can be recovered within 14 days.
A. Correct, Soft Delete will allow restore of backup jobs.
For immutable vault - this is currently in PREVIEW in Australia East:
In regards to Azure Policy, the DenyAction policy effect is also in Public Preview: https://techcommunity.microsoft.com/t5/azure-paas-blog/quickstart-denyaction-effect-in-azure-policy/ba-p/3705112
I propose you take a look at Resource Guard - MFA for Azure Backups - https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
Resource Guard, will allow you to set specific users and approval, and restrictions and, if needed, prompt for MFA before any operations such as deleting a backup point.