One of the common use cases for 3. party backup tools in Azure, is the separation of duties. In theory, if someone has higher-level access to an Azure environment, they can delete the backup/recovery vault and then the backup files.
There are of course some safeguards in place such as soft delete but someone with access to the subscription and such can still delete the backup vault with the files.
With Azure Resource Guard, which is a new service in preview, you can safeguard from these actions to be taken. Resource Guard stops the following actions to be taken from a backup admin perspective.
NOTE: The feature is currently in Preview, and should hence not be used for production workloads
- deleteProtectedItemRequests
- updateProtectedItemRequests
- updateProtectionPolicyRequest
- deleteResourceGuardProxyRequests
- getBackupSecurityPINRequests
- disableSoftDeleteRequests
Now you can of course handle this with different mechanisms in Azure as well to avoid that someone deleted backup vault using Azure RBAC and PIM mechanisms, however if someone has full access to the subscription or tenant then it cannot be avoided.
However, Resource Guard can also handle these scenarios. Resource Guard can be in a different subscription or a different tenant as the vault. However, it should be in the same region as the vault. Therefore, you can avoid such scenarios. It is important however that for the backup admin to interact with the vault and to enable MUA (Multi-User Authorization) on a vault, the admin of the vault must have ‘Reader’ role on the subscription containing the Resource Guard.
If the Backup Admin requires to make some changes to the protected backup data, you can configure Azure AD PIM for the Backup Admin to elevate access to at least Contributer role on the Resource Guard.
Enabling Azure Resource Guard on a backup vault
- Enable Resource Guard Preview. Under Subscriptions –> Preview Features –> Select the ‘AzureBackupResourceGuard’ feature under the ‘Microsoft.RecoveryServices’ provider and click ‘Register’
- Create a Resource Guard (Which can be placed within the same or different tenant/subscription
- Enable MUA (Multi-User-Authorization) on a Recovery Vault. Go into Properties –> MUA –> Select the Resource Guard that was created.
- Attach the resource guard to the recovery vault
Once I have the resource guard attached to the recovery vault and I try to make some changes to the backup policy or to disable soft delete I will get this error message (user account is a backup admin account that only has access to the backup folder)
Now to summarize, this feature will allow for least privilege access. Where backup administrators or others with high-level of access such as Subscription owners or contributors are not able to modify backup.
The best approach would be to have the resource guard in a separate tenant to ensure complete isolation, and to avoid those with access to the root management group level are able to modify the data.
To disable this feature is protected using MUA. This means that the Backup admin must have the required ‘Contributor’ role in the Resource Guard.