Edit

Quickstart: Enable protection using Multi-user authorization in Azure Backup

  • Article

This quickstart describes how to enable Multi-user authorization (MUA) for Azure Backup.

Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization.

Note

MUA is now generally available for both Recovery Services vaults and Backup vaults.

Learn about MUA concepts.

Prerequisites

Before you start:

Choose a vault

  • Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
  • Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
  • Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the Microsoft.RecoveryServices provider. For more details, see Azure resource providers and types.
  • Ensure that you create a Resource Guard in a different subsctiption/tenant as that of the vault located in the same region.
  • Ensure to assign permissions to the Backup admin on the Resource Guard to enable MUA.

Enable MUA

Once the Backup admin has the Reader role on the Resource Guard, they can enable multi-user authorization on vaults managed by following these steps:

Choose a vault

  1. Go to the Recovery Services vault for which you want to configure MUA.

  2. On the left pane, select Properties.

  3. Go to Multi-User Authorization and select Update.

  4. To enable MUA and choose a Resource Guard, perform one of the following actions:

    • You can either specify the URI of the Resource Guard, make sure you specify the URI of a Resource Guard you have Reader access to and that is the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard in its Overview screen:

    • Or, you can select the Resource Guard from the list of Resource Guards you have Reader access to, and those available in the region.

      1. Click Select Resource Guard
      2. Select the dropdown list and choose the directory the Resource Guard is in.
      3. Select Authenticate to validate your identity and access.
      4. After authentication, choose the Resource Guard from the list displayed.

  5. Select Save to enable MUA.

Next steps