Tutorial: Create a Resource Guard and enable Multi-user authorization in Azure Backup

This tutorial describes how to create a Resource Guard and enable Multi-user authorization (MUA) on a Recovery Services vault and Backup vault. This adds an additional layer of protection to critical operations on your vaults.


  • Multi-user authorization is now generally available for both Recovery Services vaults and Backup vaults.
  • Multi-user authorization for Azure Backup is available in all public Azure regions.

Learn about MUA concepts.


Before you start:

Choose a vault

  • Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
  • Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
  • Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the Microsoft.RecoveryServices provider. For more details, see Azure resource providers and types.

Learn about various MUA usage scenarios.

Create a Resource Guard

The Security admin creates the Resource Guard. We recommend that you create it in a different subscription or a different tenant as the vault. However, it should be in the same region as the vault.


The Backup admin must NOT have contributor access on the Resource Guard or the subscription that contains it.

Choose a vault

To create the Resource Guard in a tenant different from the vault tenant as a Security admin, follow these steps:

  1. In the Azure portal, go to the directory under which you wish to create the Resource Guard.

  2. Search for Resource Guards in the search bar and select the corresponding item from the drop-down.

    1. Select Create to start creating a Resource Guard.
    2. In the Create blade, fill in the required details for this Resource Guard.
      • Make sure the Resource Guard is in the same Azure regions as the Recovery Services vault.
      • Also, it is helpful to add a description of how to get or request access to perform actions on associated vaults when needed. This description would also appear in the associated vaults to guide the backup admin on getting the required permissions. You can edit the description later if needed, but having a well-defined description at all times is encouraged.
  3. On the Protected operations tab, select the operations you need to protect using this resource guard.

    You can also select the operations to be protected after creating the resource guard.

  4. Optionally, add any tags to the Resource Guard as per the requirements

  5. Select Review + Create and then follow notifications for status and successful creation of the Resource Guard.

Select operations to protect using Resource Guard

After vault creation, the Security admin can also choose the operations for protection using the Resource Guard among all supported critical operations. By default, all supported critical operations are enabled. However, the Security admin can exempt certain operations from falling under the purview of MUA using Resource Guard.

Choose a vault

To select the operations for protection, follow these steps:

  1. In the Resource Guard created above, go to Properties > Recovery Services vault tab.

  2. Select Disable for operations that you wish to exclude from being authorized using the Resource Guard.


    The operations Disable soft delete and Remove MUA protection cannot be disabled.

  3. Optionally, you can also update the description for the Resource Guard using this blade.

  4. Select Save.

Assign permissions to the Backup admin on the Resource Guard to enable MUA

The Backup admin must have Reader role on the Resource Guard or subscription that contains the Resource Guard to enable MUA on a vault. The Security admin needs to assign this role to the Backup admin.

Choose a vault

To assign the Reader role on the Resource Guard, follow these steps:

  1. In the Resource Guard created above, go to the Access Control (IAM) blade, and then go to Add role assignment.
  2. Select Reader from the list of built-in roles and select Next.
  3. Click Select members and add the Backup admin’s email ID to add them as the Reader. Since the Backup admin is in another tenant in this case, they will be added as guests to the tenant containing the Resource Guard.
  4. Click Select and then proceed to Review + assign to complete the role assignment.

Enable MUA on a vault

Once the Backup admin has the Reader role on the Resource Guard, they can enable multi-user authorization on vaults managed by following these steps:

Choose a vault

  1. Go to the Recovery Services vault.

  2. Go to Properties > Multi-User Authorization, and then select Update.

  3. Now you are presented with the option to enable MUA and choose a Resource Guard using one of the following ways:

    1. You can either specify the URI of the Resource Guard, make sure you specify the URI of a Resource Guard you have Reader access to and that is the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard in its Overview screen:

    2. Or you can select the Resource Guard from the list of Resource Guards you have Reader access to, and those available in the region.

      1. Click Select Resource Guard
      2. Select the dropdown list and choose the directory the Resource Guard is in.
      3. Select Authenticate to validate your identity and access.
      4. After authentication, choose the Resource Guard from the list displayed.
  4. Select Save to enable MUA.

Next steps