When we talk about Azure Backup, it’s not just about creating backups; it’s about ensuring reliable recovery when it matters most. Nobody needs backups, everyone needs recovery! Whether it’s accidental data deletion, unexpected outages, or ransomware attacks, Azure Backup is an essential tool for protecting your IaaS and PaaS workloads.
Imagine a scenario where a backup operator’s credentials are compromised during a cybersecurtiy attack. Even though Azure Backup is secure by design and prevents the encryption of backup data, attackers might still attempt to harm the organization by deleting the backups. This is where Multi-User Authorization (MUA) comes in as a game-changer.
By requiring administrative access to perform sensitive actions like deleting backups, MUA adds a critical layer of protection. It ensures that even if one account is compromised, malicious actors cannot single-handedly tamper with or delete your backup data.
MUA adds another layer of security by requiring explicit authorization from the Resource Guard service for critical actions such as deletion or modification of backups. This drastically reduces the risk of insider threats or accidental misconfigurations.
MUA is one of the most overlooked yet vital solutions that every organization should adopt. Not only is it free, but it also provides an essential safeguard for backup operations.
Here’s a step-by-step guide on how to configure MUA to protect your Azure Backup or Recovery Services Vault effectively.
Start by logging into the Azure Portal and creating a new Resource Guard resource. For optimal security, it’s recommended to create the Resource Guard in a different tenant to separate security accounts and operations completely.
Once the Resource Guard is set up, switch to the other tenant where the Azure Backup Vault resides and configure it to use the Resource Guard.
If a backup administrator attempts to delete a backup without the appropriate permissions on the Resource Guard, the operation will be blocked. Only users with the “Backup MUA Operator” role on the Resource Guard can authorize such critical actions.
This ensures that unauthorized deletion attempts—whether accidental or malicious—are effectively prevented.
In one of my next blog posts I will go into using Privileged Identity Management (PIM). With PIM you can enable priviledged roles on demand and add an approval workflow on top of that. As this would go beyond the scope of this blog post, I will write a separate article about it in the next days.
Azure Backup provides a robust foundation for data recovery, but adding Multi-User Authorization (MUA) elevates your backup security to the next level. MUA ensures that no single account can compromise your backups, protecting your organization from accidental deletions, insider threats, and ransomware attacks.
Configuring MUA is straightforward, free, and incredibly effective. By integrating a Resource Guard from another tenant, you can establish a strong separation of duties and enhance your overall security posture.
Don’t wait for a data loss incident to realize the importance of recovery readiness. Secure your Azure Backup strategy today with Multi-User Authorization and stay prepared for any scenario!