Protecting Recovery Services Vaults with Resource Guard and Multi-user authorizations

@20aman    Feb 18, 2022

You want to control access to Recovery Services Vault and what kind of operations are allowed on the same, you can now do so using the Resource Guard. It is another resource in Azure that you can

Scenario and Permissions

Let's assume that there are two people at your organization. One who is responsible for the security and another who is responsible for performing backup-related operations. The security wants to limit the backup administrator's operations. Let's classify these people into two roles:

  1. Backup Admin - He is the owner of the Recovery Services Vault and needs to perform various operations.
  2. Security Admin - He is the gatekeeper of the critical operations that occur on the vault and controls permissions that the Backup admin needs to perform his job.

Permissions on the Resource Guard - The Security admin needs to be the owner of the Resource Guard. The Backup admin must not have any permission to the Resource Guard.


Below are some of the caveats that you should be aware of:

  • The Backup admin must not have Contributor permissions to the Resource Guard in any scenario. The Resource Guard must be owned by a different user than the backup admin.
  • You can place Resource Guard in a subscription or tenant different from the one containing the Recovery Services vault to provide better protection.
  • This feature is currently supported for Recovery Services vaults only and not available for Backup vaults.
  • Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use Microsoft.RecoveryServices provider.

Resource Guard Creation

Just search for "Resource Guard" in the search box on the Azure portal and navigate to the section. Click on the "+ Create" button to create a new Resource Guard. Fill in the name and other defaults and hit Create. That's it.

Resource Guard Creation

Navigate to the resource guard resource once ready.

Enabling and Disabling Operations in Resource Guard

Follow the below steps to enable/disable the protected operations. The numbers correspond to the numbers in the screenshot.

  1. Navigate to your Resource Guard resource. Then navigate to the properties section.
  2. Provide a description. This would appear in the vaults that are protected using this Resource Guard.
  3. Enable and Disable the protected operations next as shown below.
Properties of the Resource Guard

Adding Backup admin as Reader on the Resource Guard

To enable MUA on a vault, the backup admin of the vault must have a Reader role on the Resource Guard or subscription containing the Resource Guard. Grant the Reader role to the backup admin user from the "Role assignments" under the "Access control (IAM)" for the Resource Guard resource.

Enabling Multi-User Authorization on the Recovery Services Vault

To set up the Multi-User Authorization on the Recovery Services Vault, navigate to the vault and link it to the Resource Guard resource. To do this navigate to the properties of the vault and select the "Update" link under the Multi-User Authorization setting.

Multi-User Authorization Setting

Next, select the check box for the "Protect with Resource Guard" and select the radio button for the "Select Resource Guard". To select the actual resource for the Resource Guard, click on the "Select Resource Guard" link.

Multi-User Authorization Setting - Details

In the next blade, select your directory and then the resource guard resource under that from the list. Hit select and then Save in the previous blade.

Selecting the Resource Guard for the Vault

This should set it up for you. Now the operations you disabled can't be performed on the recovery services vault by the backup admin.

Authorize critical (protected) operations

If for any reason you want to allow the critical i.e. protected operations then the recommended approach is to leverage Privileged Identity Management (PIM) and have the backup admin elevate their access from Reader to a Contributor on the Resource Guard resource. An alternative is to manually update these role assignments on the Resource Guard resource. PIM is the recommended approach as it time bounds the authorization providing just-in-time (JIT) access that is auto-revoked after allowed time.

Official documentation link: Multi-user authorization using Resource Guard

Comments powered by Disqus