Introduction
In this blog post, I want to talk about MUA with Resource Guard. Well, what is MUA and how does it help me protect Azure Backup?
Multi-user authorization (MUA) for Azure Backup allows companies to add an additional layer of protection to critical operations on their Recovery Services vaults and Backup Vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization.
The following table lists the operations defined as critical operations and is protected by a Resource Guard.
| Operation | Mandatory/ Optional |
| Disable soft delete | Mandatory |
| Disable MUA protection | Mandatory |
| Modify backup policy (reduced retention) | Optional |
| Modify protection (reduced retention) | Optional |
| Stop protection with delete data | Optional |
| Change MARS security PIN | Optional |
To help understand how it works, the following is a diagram representing the operation flow for performing a critical operation on a vault that has MUA configured using a Resource Guard.
To perform a protected operation on the Vaults, the user/personnel will require the Contributor role on the Resource Guard resource.
In terms of the usage scenario for MUA and Resource Guard, you have 3 options to choose from.
| Usage scenario | Protection due to MUA | Ease of implementation | Notes |
| Vault and Resource Guard are in the same subscription. The Backup admin doesn’t have access to the Resource Guard. | Least isolation between the Backup admin and the Security admin. | Relatively easy to implement since only one subscription is required. | Resource level permissions/ roles need to be ensured are correctly assigned. |
| Vault and Resource Guard are in different subscriptions but the same tenant. The Backup admin doesn’t have access to the Resource Guard or the corresponding subscription. | Medium isolation between the Backup admin and the Security admin. | Relatively medium ease of implementation since two subscriptions (but a single tenant) are required. | Ensure that permissions/ roles are correctly assigned for the resource or the subscription. |
| Vault and Resource Guard are in different tenants. The Backup admin doesn’t have access to the Resource Guard, the corresponding subscription, or the corresponding tenant. | Maximum isolation between the Backup admin and the Security admin, hence, maximum security. | Relatively difficult to test since requires two tenants or directories to test. | Ensure that permissions/ roles are correctly assigned for the resource, the subscription or the directory. |
For the example of this blog post, I will use ‘Vault and Resource Guard are in different subscriptions but the same tenant‘. This would be the most common usage scenario I would see for using MUA with Resource Guard. Ideally a new subscription is created specifically for Resource Guard!
What I do like about this scenario and configuration is that we can separate out the subscription from a Management Group Hierarchy (if applicable), so the likes of access control that would usually be set at the Root Management group is not inherited on the subscription. Remember we want the Security Admin (user/personnel) / Owner / User Access Administrator to control access to Resource Guard.
Now that you have an understanding of the concept (I hope 😉) lets get stuck into the steps to creating Resource Guard and configuring MUA on the vaults.
Before I do start a few prerequisites are needed.
- Make sure the creation of Resource Guard and the Recovery Services vault or Backup Vault are in the same Azure region.
- Make sure the Backup admin (user/personnel) does NOT have Contributor permissions on the Resource Guard.
- Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions) are registered to use the providers – Microsoft.RecoveryServices and Microsoft.DataProtection.
Creation of Resource Guard
- In the Azure Portal, Search for Resource Guard and Select Create.
- Choose the Subscription and Resource Group.
- Choose the region (should be the same as your vault).
- Choose the Resource Guard Name and add a description if it suits. Should look something like the below.
- Click on Next to the Protected Operations. As you can see, the greyed out Enabled are mandatory and the others are optional. Ideally Enable all operations.
- Click on next for Tags, add your tags if applicable
- Click on Review + Create to create the Resource Guard.
Now onto the MUA configuration for the vaults.
MUA Configuration
- In the Azure Portal, Go to your Recovery Services Vault.
- Click on Properties in side menu.
- Click on the Update button under Multi-User Authorization
- Click on the Protect with Resource Guard tab
- Select your Resource Guard you previously created and click on Save
That’s it!! A very simple process to adding another protection layer to your Recovery Services and Backup Vaults. Now let’s test the process 🤔
Testing
For testing, I am going to try stop an Azure Backup and delete the data.
As you can see I receive a operation failed notification due to not having the permissions so Resource Guard is doing its job!
As mentioned, If a user/personnel wants to perform a protected operation they will require the Contributor role on the Resource Guard resource. Let’s do that now!
Now I will try Stop and Delete the Azure Backup again. As you can see below this was successful! 😎
*One gotcha I found out after assigning the contributor role to Resource Guard, I had to sign out of the Azure Portal and re-authenticate. Refreshing did not work!*
Automated Authorization
If your looking to automate the authorization process and lucky enough to have Microsoft Entra ID P2 license assigned to the tenant, this is achievable by using Privileged Identity Management (PIM) and creating an eligible assignment of the Contributor role on the Resource Guard resource type. You can also setup approvers on PIM that will have to approve users/personnel activating the Contributor role. This is a nice feature of PIM.
More info on PIM approvals via Microsoft Docs! – https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault#authorize-critical-protected-operations-using-microsoft-entra-privileged-identity-management
Closing Remarks
In this blog post, we explored how to enhance security and add an additional layer of protection to critical operations on your Recovery Services vaults and Backup Vaults using Multi-user Authorization (MUA). By leveraging Resource Guard, you can ensure that critical actions are performed only with applicable authorization.
What would be nice feature functionality in the long term, would be Resource Guard being applicable for Azure Site Recovery services. Unfortunately, we don’t have the same option to protect Site Recovery instances from being modifying or deleted. The DR protection for instances in the secondary region is just as important as Azure Backup! Let’s hope we see something soon for ASR.
Also, don’t forget about the other security features that can be leveraged like:
- Immutable Vaults
- Soft Delete
- Encryption Settings
- Security PIN (MABS, DPM, MARS)
Any questions or feedback please get in touch 😁
AllAzure 