Configure Multi-user authorization using Resource Guard in Azure Backup

This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Recovery Services vaults.

This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using Azure Active Directory Privileged Identity Management in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup.

This document includes the following sections:

  • Before you start
  • Testing scenarios
  • Create a Resource Guard
  • Enable MUA on a Recovery Services vault
  • Protected operations on a vault using MUA
  • Authorize critical operations on a vault
  • Disable MUA on a Recovery Services vault

Note

Multi-user authorization for Azure Backup is available in all public Azure regions.

Before you start

  • Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
  • Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
  • Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection . For more information, see Azure resource providers and types.

Learn about various MUA usage scenarios.

Create a Resource Guard

The Security admin creates the Resource Guard. We recommend that you create it in a different subscription or a different tenant as the vault. However, it should be in the same region as the vault. The Backup admin must NOT have contributor access on the Resource Guard or the subscription that contains it.

Choose a client

To create the Resource Guard in a tenant different from the vault tenant, follow these steps:

  1. In the Azure portal, go to the directory under which you want to create the Resource Guard.

    Screenshot showing the portal settings.

  2. Search for Resource Guards in the search bar and select the corresponding item from the drop-down list.

    Screenshot showing resource guards.

    • Select Create to start creating a Resource Guard.
    • In the create blade, fill in the required details for this Resource Guard.
      • Make sure the Resource Guard is in the same Azure regions as the Recovery Services vault.
      • Also, it's helpful to add a description of how to get or request access to perform actions on associated vaults when needed. This description would also appear in the associated vaults to guide the backup admin on getting the required permissions. You can edit the description later if needed, but having a well-defined description at all times is encouraged.
  3. On the Protected operations tab, select the operations you need to protect using this resource guard.

    You can also select the operations for protection after creating the resource guard.

  4. Optionally, add any tags to the Resource Guard as per the requirements

  5. Select Review + Create.

    Follow notifications for status and successful creation of the Resource Guard.

Select operations to protect using Resource Guard

Choose the operations you want to protect using the Resource Guard out of all supported critical operations. By default, all supported critical operations are enabled. However, you (as the security admin) can exempt certain operations from falling under the purview of MUA using Resource Guard.

Choose a client

To exempt operations, follow these steps:

  1. In the Resource Guard created above, go to Properties.

  2. Select Disable for operations that you want to exclude from being authorized using the Resource Guard.

    Note

    You can't disable the protected operations - Disable soft delete and Remove MUA protection.

  3. Optionally, you can also update the description for the Resource Guard using this blade.

  4. Select Save.

    Screenshot showing demo resource guard properties.

Assign permissions to the Backup admin on the Resource Guard to enable MUA

To enable MUA on a vault, the admin of the vault must have Reader role on the Resource Guard or subscription containing the Resource Guard. To assign the Reader role on the Resource Guard:

  1. In the Resource Guard created above, go to the Access Control (IAM) blade, and then go to Add role assignment.

    Screenshot showing demo resource guard-access control.

  2. Select Reader from the list of built-in roles and select Next on the bottom of the screen.

    Screenshot showing demo resource guard-add role assignment.

  3. Click Select members and add the Backup admin’s email ID to add them as the Reader. As the Backup admin is in another tenant in this case, they'll be added as guests to the tenant containing the Resource Guard.

  4. Click Select and then proceed to Review + assign to complete the role assignment.

    Screenshot showing demo resource guard-select members.

Enable MUA on a Recovery Services vault

After the Reader role assignment on the Resource Guard is complete, enable multi-user authorization on vaults (as the Backup admin) that you manage.

Choose a client

To enable MUA on the vaults, follow these steps.

  1. Go to the Recovery Services vault. Go to Properties on the left navigation panel, then to Multi-User Authorization and click Update.

    Screenshot showing the Recovery services vault properties.

  2. Now, you're presented with the option to enable MUA and choose a Resource Guard using one of the following ways:

    1. You can either specify the URI of the Resource Guard, make sure you specify the URI of a Resource Guard you have Reader access to and that is the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard in its Overview screen:

      Screenshot showing the Resource Guard.

    2. Or, you can select the Resource Guard from the list of Resource Guards you have Reader access to, and those available in the region.

      1. Click Select Resource Guard
      2. Click on the dropdown and select the directory the Resource Guard is in.
      3. Click Authenticate to validate your identity and access.
      4. After authentication, choose the Resource Guard from the list displayed.

      Screenshot showing multi-user authorization.

  3. Select Save once done to enable MUA.

    Screenshot showing how to enable Multi-user authentication.

Protected operations using MUA

Once you have enabled MUA, the operations in scope will be restricted on the vault, if the Backup admin tries to perform them without having the required role (that is, Contributor role) on the Resource Guard.

Note

We highly recommend that you test your setup after enabling MUA to ensure that protected operations are blocked as expected and to ensure that MUA is correctly configured.

Depicted below is an illustration of what happens when the Backup admin tries to perform such a protected operation (For example, disabling soft delete is depicted here. Other protected operations have a similar experience). The following steps are performed by a Backup admin without required permissions.

  1. To disable soft delete, go to the Recovery Services vault > Properties > Security Settings and select Update, which brings up the Security Settings.

  2. Disable the soft delete using the slider. You're informed that this is a protected operation, and you need to verify their access to the Resource Guard.

  3. Select the directory containing the Resource Guard and Authenticate yourself. This step may not be required if the Resource Guard is in the same directory as the vault.

  4. Proceed to select Save. The request fails with an error informing them about not having sufficient permissions on the Resource Guard to let you perform this operation.

    Screenshot showing the Test Vault properties security settings.

Authorize critical (protected) operations using Azure AD Privileged Identity Management

The following sections discuss authorizing these requests using PIM. There are cases where you may need to perform critical operations on your backups and MUA can help you ensure that these are performed only when the right approvals or permissions exist. As discussed earlier, the Backup admin needs to have a Contributor role on the Resource Guard to perform critical operations that are in the Resource Guard scope. One of the ways to allow just-in-time for such operations is through the use of Azure Active Directory (Azure AD) Privileged Identity Management.

Note

Though using Azure AD PIM is the recommended approach, you can use manual or custom methods to manage access for the Backup admin on the Resource Guard. For managing access to the Resource Guard manually, use the ‘Access control (IAM)’ setting on the left navigation bar of the Resource Guard and grant the Contributor role to the Backup admin.

Create an eligible assignment for the Backup admin (if using Azure AD Privileged Identity Management)

The Security admin can use PIM to create an eligible assignment for the Backup admin as a Contributor to the Resource Guard. This enables the Backup admin to raise a request (for the Contributor role) when they need to perform a protected operation. To do so, the security admin performs the following:

  1. In the security tenant (which contains the Resource Guard), go to Privileged Identity Management (search for this in the search bar in the Azure portal) and then go to Azure Resources (under Manage on the left menu).

  2. Select the resource (the Resource Guard or the containing subscription/RG) to which you want to assign the Contributor role.

    If you don’t see the corresponding resource in the list of resources, ensure you add the containing subscription to be managed by PIM.

  3. In the selected resource, go to Assignments (under Manage on the left menu) and go to Add assignments.

    Screenshot showing how to add assignments.

  4. In the Add assignments:

    1. Select the role as Contributor.
    2. Go to Select members and add the username (or email IDs) of the Backup admin.
    3. Select Next.

    Screenshot showing how to add assignments-membership.

  5. In the next screen:

    1. Under assignment type, choose Eligible.
    2. Specify the duration for which the eligible permission is valid.
    3. Select Assign to finish creating the eligible assignment.

    Screenshot showing how to add assignments-setting.

Set up approvers for activating Contributor role

By default, the setup above may not have an approver (and an approval flow requirement) configured in PIM. To ensure that approvers are required for allowing only authorized requests to go through, the security admin must perform the following steps.

Note

If this isn't configured, any requests will be automatically approved without going through the security admins or a designated approver’s review. More details on this can be found here

  1. In Azure AD PIM, select Azure Resources on the left navigation bar and select your Resource Guard.

  2. Go to Settings and then go to the Contributor role.

    Screenshot showing how to add contributor.

  3. If the setting named Approvers shows None or displays incorrect approvers, select Edit to add the reviewers who would need to review and approve the activation request for the Contributor role.

  4. On the Activation tab, select Require approval to activate and add the approver(s) who need to approve each request. You can also select other security options like using MFA and mandating ticket options to activate the Contributor role. Optionally, select relevant settings on the Assignment and Notification tabs as per your requirements.

    Screenshot showing how to edit role setting.

  5. Select Update once done.

Request activation of an eligible assignment to perform critical operations

After the security admin creates an eligible assignment, the Backup admin needs to activate the assignment for the Contributor role to be able to perform protected actions. The following actions are performed by the Backup admin to activate the role assignment.

  1. Go to Azure AD Privileged Identity Management. If the Resource Guard is in another directory, switch to that directory and then go to Azure AD Privileged Identity Management.

  2. Go to My roles > Azure resources on the left menu.

  3. The Backup admin can see an Eligible assignment for the contributor role. Select Activate to activate it.

  4. The Backup admin is informed via portal notification that the request is sent for approval.

    Screenshot showing to activate eligible assignments.

Approve activation of requests to perform critical operations

Once the Backup admin raises a request for activating the Contributor role, the request is to be reviewed and approved by the security admin.

  1. In the security tenant, go to Azure AD Privileged Identity Management.
  2. Go to Approve Requests.
  3. Under Azure resources, the request raised by the Backup admin requesting activation as a Contributor can be seen.
  4. Review the request. If genuine, select the request and select Approve to approve it.
  5. The Backup admin is informed by email (or other organizational alerting mechanisms) that their request is now approved.
  6. Once approved, the Backup admin can perform protected operations for the requested period.

Performing a protected operation after approval

Once the Backup admin’s request for the Contributor role on the Resource Guard is approved, they can perform protected operations on the associated vault. If the Resource Guard is in another directory, the Backup admin would need to authenticate themselves.

Note

If the access was assigned using a JIT mechanism, the Contributor role is retracted at the end of the approved period. Else, the Security admin manually removes the Contributor role assigned to the Backup admin to perform the critical operation.

The following screenshot shows an example of disabling soft delete for an MUA-enabled vault.

Screenshot showing to disable soft delete.

Disable MUA on a Recovery Services vault

Disabling MUA is a protected operation, so, so, vaults are protected using MUA. If you (the Backup admin) want to disable MUA, you must have the required Contributor role in the Resource Guard.

Choose a client

To disable MUA on a vault, follow these steps:

  1. The Backup admin requests the Security admin for Contributor role on the Resource Guard. They can request this to use the methods approved by the organization such as JIT procedures, like Azure AD Privileged Identity Management, or other internal tools and procedures.

  2. The Security admin approves the request (if they find it worthy of being approved) and informs the Backup admin. Now the Backup admin has the ‘Contributor’ role on the Resource Guard.

  3. The Backup admin goes to the vault > Properties > Multi-user Authorization.

  4. Select Update.

    1. Clear the Protect with Resource Guard checkbox.
    2. Choose the Directory that contains the Resource Guard and verify access using the Authenticate button (if applicable).
    3. After authentication, select Save. With the right access, the request should be successfully completed.

    Screenshot showing to disable multi-user authentication.

The tenant ID is required if the resource guard exists in a different tenant.

Example:

az backup vault resource-guard-mapping delete --resource-group RgName --name VaultName

This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Backup vault (preview).

Note

Multi-user authorization using Resource Guard for Backup vault is in preview.

This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using Azure Active Directory Privileged Identity Management in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup.

This document includes the following sections:

  • Before you start
  • Testing scenarios
  • Create a Resource Guard
  • Enable MUA on a Backup vault
  • Protected operations on a vault using MUA
  • Authorize critical operations on a vault
  • Disable MUA on a Backup vault

Note

Multi-user authorization for Azure Backup is available in all public Azure regions.

Before you start

  • Ensure the Resource Guard and the Backup vault are in the same Azure region.
  • Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
  • Ensure that your subscriptions contain the Backup vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the provider - Microsoft.DataProtection4. For more information, see Azure resource providers and types.

Learn about various MUA usage scenarios.

Create a Resource Guard

The Security admin creates the Resource Guard. We recommend that you create it in a different subscription or a different tenant as the vault. However, it should be in the same region as the vault.

The Backup admin must NOT have contributor access on the Resource Guard or the subscription that contains it.

To create the Resource Guard in a tenant different from the vault tenant as a Security admin, follow these steps:

  1. In the Azure portal, go to the directory under which you want to create the Resource Guard.

    Screenshot showing the portal settings to configure for Backup vault.

  2. Search for Resource Guards in the search bar and select the corresponding item from the drop-down list.

    Screenshot showing resource guards for Backup vault.

    1. Select Create to create a Resource Guard.
    2. In the Create blade, fill in the required details for this Resource Guard.
      • Ensure that the Resource Guard is in the same Azure regions as the Backup vault.
      • Add a description on how to request access to perform actions on associated vaults when needed. This description appears in the associated vaults to guide the Backup admin on how to get the required permissions.
  3. On the Protected operations tab, select the operations you need to protect using this resource guard under the Backup vault tab.

    Currently, the Protected operations tab includes only the Delete backup instance option to disable.

    You can also select the operations for protection after creating the resource guard.

    Screenshot showing how to select operations for protecting using Resource Guard.

  4. Optionally, add any tags to the Resource Guard as per the requirements.

  5. Select Review + Create and then follow the notifications to monitor the status and a successful creation of the Resource Guard.

Select operations to protect using Resource Guard

After vault creation, the Security admin can also choose the operations for protection using the Resource Guard among all supported critical operations. By default, all supported critical operations are enabled. However, the Security admin can exempt certain operations from falling under the purview of MUA using Resource Guard.

To select the operations for protection, follow these steps:

  1. In the Resource Guard that you've created, go to Properties > Backup vault tab.

  2. Select Disable for the operations that you want to exclude from being authorized.

    You can't disable the Remove MUA protection operation.

  3. Optionally, in the Backup vaults tab, update the description for the Resource Guard.

  4. Select Save.

    Screenshot showing demo resource guard properties for Backup vault.

Assign permissions to the Backup admin on the Resource Guard to enable MUA

The Backup admin must have Reader role on the Resource Guard or subscription that contains the Resource Guard to enable MUA on a vault. The Security admin needs to assign this role to the Backup admin.

To assign the Reader role on the Resource Guard, follow these steps:

  1. In the Resource Guard created above, go to the Access Control (IAM) blade, and then go to Add role assignment.

    Screenshot showing demo resource guard-access control for Backup vault.

  2. Select Reader from the list of built-in roles and select Next on the bottom of the screen.

    Screenshot showing demo resource guard-add role assignment for Backup vault.

  3. Click Select members and add the Backup admin's email ID to assign the Reader role.

    As the Backup admins are in another tenant, they'll be added as guests to the tenant that contains the Resource Guard.

  4. Click Select > Review + assign to complete the role assignment.

    Screenshot showing demo resource guard-select members to protect the backup items in Backup vault.

Enable MUA on a Backup vault

Once the Backup admin has the Reader role on the Resource Guard, they can enable multi-user authorization on vaults managed by following these steps:

  1. Go to the Backup vault for which you want to configure MUA.

  2. On the left panel, select Properties.

  3. Go to Multi-User Authorization and select Update.

    Screenshot showing the Backup vault properties.

  4. To enable MUA and choose a Resource Guard, perform one of the following actions:

    • You can either specify the URI of the Resource Guard. Ensure that you specify the URI of a Resource Guard you have Reader access to and it's in the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard on its Overview page.

      Screenshot showing the Resource Guard for Backup vault protection.

    • Or, you can select the Resource Guard from the list of Resource Guards you have Reader access to, and those available in the region.

      1. Click Select Resource Guard.
      2. Select the drop-down and select the directory the Resource Guard is in.
      3. Select Authenticate to validate your identity and access.
      4. After authentication, choose the Resource Guard from the list displayed.

      Screenshot showing multi-user authorization enabled on Backup vault.

  5. Select Save to enable MUA.

    Screenshot showing how to enable Multi-user authentication.

Protected operations using MUA

Once the Backup admin enables MUA, the operations in scope will be restricted on the vault, and the operations fail if the Backup admin tries to perform them without having the Contributor role on the Resource Guard.

Note

We highly recommend you to test your setup after enabling MUA to ensure that:

  • Protected operations are blocked as expected.
  • MUA is correctly configured.

To perform a protected operation (disabling MUA), follow these steps:

  1. Go to the vault > Properties in the left pane.

  2. Clear the checkbox to disable MUA.

    You'll receive a notification that it's a protected operation, and you need to have access to the Resource Guard.

  3. Select the directory containing the Resource Guard and authenticate yourself.

    This step may not be required if the Resource Guard is in the same directory as the vault.

  4. Select Save.

    The request fails with an error that you don't have sufficient permissions on the Resource Guard to perform this operation.

    Screenshot showing the test Backup vault properties security settings.

Authorize critical (protected) operations using Azure AD Privileged Identity Management

There are scenarios where you may need to perform critical operations on your backups and you can perform them with the right approvals or permissions with MUA. The following sections explain on how to authorize the critical operation requests using Privileged Identity Management (PIM).

The Backup admin must have a Contributor role on the Resource Guard to perform critical operations in the Resource Guard scope. One of the ways to allow just-in-time (JIT) operations is through the use of Azure Active Directory (Azure AD) Privileged Identity Management.

Note

We recommend to use the Azure AD PIM. However, you can also use manual or custom methods to manage access for the Backup admin on the Resource Guard. To manually manage access to the Resource Guard, use the Access control (IAM) setting on the left pane of the Resource Guard and grant the Contributor role to the Backup admin.

Create an eligible assignment for the Backup admin using Azure AD Privileged Identity Management

The Security admin can use PIM to create an eligible assignment for the Backup admin as a Contributor to the Resource Guard. This enables the Backup admin to raise a request (for the Contributor role) when they need to perform a protected operation.

To create an eligible assignment, follow the steps:

  1. Sign into the Azure portal.

  2. Go to security tenant of Resource Guard, and in the search, enter Privileged Identity Management.

  3. In the left pane, select Manage and go to Azure Resources.

  4. Select the resource (the Resource Guard or the containing subscription/RG) to which you want to assign the Contributor role.

    If you don't find any corresponding resources, then add the containing subscription that is managed by PIM.

  5. Select the resource and go to Manage > Assignments > Add assignments.

    Screenshot showing how to add assignments to protect a Backup vault.

  6. In the Add assignments:

    1. Select the role as Contributor.
    2. Go to Select members and add the username (or email IDs) of the Backup admin.
    3. Select Next.

    Screenshot showing how to add assignments-membership to protect a Backup vault.

  7. In Assignment, select Eligible and specify the validity of the duration of eligible permission.

  8. Select Assign to complete creating the eligible assignment.

    Screenshot showing how to add assignments-setting to protect a Backup vault.

Set up approvers for activating Contributor role

By default, the above setup may not have an approver (and an approval flow requirement) configured in PIM. To ensure that approvers have the Contributor role for request approval, the Security admin must follow these steps:

Note

If the approver setup isn't configured, the requests are automatically approved without going through the Security admins or a designated approver’s review. Learn more.

  1. In Azure AD PIM, select Azure Resources on the left pane and select your Resource Guard.

  2. Go to Settings > Contributor role.

    Screenshot showing how to add a contributor.

  3. Select Edit to add the reviewers who must review and approve the activation request for the Contributor role in case you find that Approvers show None or displays incorrect approvers.

  4. On the Activation tab, select Require approval to activate to add the approver(s) who must approve each request.

  5. Select security options, such as Multi Factor Authentication (MFA), Mandating ticket. to activate Contributor role.

  6. Select the appropriate options on Assignment and Notification tabs as per your requirement.

    Screenshot showing how to edit the role setting.

  7. Select Update to complete the set-up of approvers to activate Contributor role.

Request activation of an eligible assignment to perform critical operations

After the Security admin creates an eligible assignment, the Backup admin needs to activate the role assignment for the Contributor role to perform protected actions.

To activate the role assignment, follow the steps:

  1. Go to Azure AD Privileged Identity Management. If the Resource Guard is in another directory, switch to that directory and then go to Azure AD Privileged Identity Management.

  2. Go to My roles > Azure resources in the left pane.

  3. Select Activate to activate the eligible assignment for Contributor role.

    A notification appears notifying that the request is sent for approval.

    Screenshot showing how to activate eligible assignments.

Approve activation requests to perform critical operations

Once the Backup admin raises a request for activating the Contributor role, the Security admin must review and approve the request.

To review and approve the request, follow these steps:

  1. In the security tenant, go to Azure AD Privileged Identity Management..

  2. Go to Approve Requests.

  3. Under Azure resources, you can see the request awaiting approval.

    Select Approve to review and approve the genuine request.

After the approval, the Backup admin receives a notification, via email or other internal alerting options, that the request is approved. Now, the Backup admin can perform the protected operations for the requested period.

Perform a protected operation after approval

Once the Security admin approves the Backup admin's request for the Contributor role on the Resource Guard, they can perform protected operations on the associated vault. If the Resource Guard is in another directory, the Backup admin must authenticate themselves.

Note

If the access was assigned using a JIT mechanism, the Contributor role is retracted at the end of the approved period. Otherwise, the Security admin manually removes the Contributor role assigned to the Backup admin to perform the critical operation.

The following screenshot shows an example of disabling soft delete for an MUA-enabled vault.

Screenshot showing to disable soft delete for an MUA enabled vault.

Disable MUA on a Backup vault

Disabling the MUA is a protected operation that must be done by the Backup admin only. To do this, the Backup admin must have the required Contributor role in the Resource Guard. To obtain this permission, the Backup admin must first request the Security admin for the Contributor role on the Resource Guard using the just-in-time (JIT) procedure, such as Azure Active Directory (Azure AD) Privileged Identity Management or internal tools.

Then the Security admin approves the request if it's genuine and updates the Backup admin who now has Contributor role on the Resource guard. Learn more on how to get this role.

To disable the MUA, the Backup admins must follow these steps:

  1. Go to vault > Properties > Multi-user Authorization.

  2. Select Update and clear the Protect with Resource Guard checkbox.

  3. Select Authenticate (if applicable) to choose the Directory that contains the Resource Guard and verify access.

  4. Select Save to complete the process of disabling the MUA.

    Screenshot showing how to disable multi-user authorization.

Next steps

Learn more about Multi-user authorization using Resource Guard.