Data protection in today’s world is becoming more critical than ever. With the increasing amounts of data in this all-connected world comes more data that needs to be protected. According to various reports, data protection is listed as one of the top 5 priorities that IT leaders and businesses continue to have in today’s world.
In this blog post, we will share with you how to enable Azure Backup on VMs using Azure Policy at scale, so you can auto-protect and enforce backup on existing or newly deployed virtual machines.
Table of Contents
Introduction
With Azure Backup, Microsoft has taken a cloud-first approach by building it as a multi-tenanted platform as a service (PaaS) to deliver backup as a service (BaaS). It is architected to support the full spectrum of born-in-the-cloud applications (IaaS, PaaS, and SaaS), fully delivers on all the cloud promises as well as transforms both admin personas into higher-leveraged roles in a cloud-transformed IT world of backup.
Azure Backup has first-class support for IaaS including SQL and SAP workloads running on Azure as IaaS VM, as well as supporting backup of SQL PaaS for long-term retention needs. This also includes support for Azure Files and Azure File Sync and soon other Azure PaaS artifacts.
Azure Policy is basically a set of rules or a particular workflow that we would like all the resources of a particular resource group, subscription, or management group to follow, it can be as simple as assigning a “Tag” to any resource that is created within the resource group.
Microsoft has released several Azure Policies to auto-enable backup on IaaS virtual machines for different scenarios. This basically lets you create a policy for your management group, subscription, or resource group, and as you deploy any VM, the policy ensures that the VM gets auto-protected by Azure Backup and enables the backup for the schedule and the retention you defined. You can also auto-enable backup for existing VMs in the chosen scope.
In this article, we will show you how to enable Azure Policy to support Azure Backup. This will ensure that the backup of virtual machines is automatically enabled as soon as a VM is deployed in a specific resource group.
Prerequisites
To follow this article, you need to have the following:
1) An Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Azure Resource Group (RG) obviously.
3) At least one Azure Recovery Services vault is created. Please check the following quick start guide to create and configure a Recovery Services vault.
4) At least one Azure Backup policy is created. Please check the following guide on how to automate the creation of Azure Backup protection policies.
5) At least one Azure virtual machine is deployed in the desired RG. Please check the following quick start guide to create a Windows virtual machine.
For the purpose of this article, we’ll be configuring backup on VMs without any given “Tag” to an existing recovery services vault in the same region. You can also choose a different Azure Policy definition to configure backup on VMs to a new recovery services vault, with or without a given “Tag”.
Assuming you have all the prerequisites in place, take now the following steps:
Enable Azure Backup with Azure Policy
Open the Azure Portal, click “All services” and then search for “Backup Center“, then select “Azure policies for backup” under Policy and Compliance on the left-hand side of the blade.

Backup Center is a single unified management experience in Azure. It enables enterprises to govern, monitor, operate, and analyze backups at scale. With this solution, you can perform most of the key backup management operations without being limited to the scope of an individual vault.
Next, select the desired policy for your scenario. In this example, I will choose ‘Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location‘. Click on “Assign” at the top of the page. The Assign policy blade will open which lets you author a policy.
The first step is to define the scope where the policy applies. A scope can be a management group, subscription, or resource group. But depending on the supported scenario that you choose, you can only scope the policy to either a management group or a subscription, however, all policies can be scoped to a resource group. As shown in the figure below, I will set the scope to a resource group that I have created (You select the subscription first, and then the desired resource group).

Next, you can give it any custom assignment name and description you want. In this example, I will call it ‘Azure Backup Policy for West Europe VMs‘, and give it a description ‘I am creating an Azure Policy to backup all my West Europe VMs‘. By default, the ‘Policy enforcement‘ is set to Enabled. Click Next to continue.
On the Parameters tab, you need to specify a couple of parameters for the Azure Backup policy as follows:
- Location: You need to specify the location (Azure region) of your deployed VMs that you want to protect. In this example, I choose ‘West Europe’.
- Backup Policy: You need to specify the id of the Azure backup policy to configure the backup of the virtual machines. The selected Azure backup policy should be of type Azure virtual machine. This policy needs to be in a vault that is present in the location chosen above. Click on the ellipsis (…) next to the Backup Policy and then choose the existing ‘Recovery Services vault‘ and the ‘Recovery Services backup policy‘ that you created as part of the prerequisites.
- Exclusion Tag Name (optional): As an optional parameter, you can set the ‘Name‘ of the tag to use for excluding VMs from the scope of this policy. This should be used along with the ‘Exclusion Tag Value‘ parameter below. In this example, I don’t want to exclude any VM.
- Exclusion Tag Value (optional): Similar to the ‘Exclusion Tag Name‘ parameter above, you can set the value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the ‘Exclusion Tag Name‘ parameter above. In this example, I don’t want to exclude any VM.
- Effect: The default is set to ‘deployIfNotExists‘, you can set it to ‘disabled‘ in case you want to disable this policy, or you can audit if the backup is enabled for your VMs by specifying the ‘auditIfNotExists‘ parameter. In this example, I’ll leave it as default.

Click Next to continue to the Remediation tab. So what remediation means is, by default, the assignment only takes effect for the newly created resources. The existing resources can be updated via a remediation task after the policy is assigned. Select ‘Create a remediation task‘ as shown in the figure below. What this means is if there are any VMs that are already present in my resource group, I can create a remediation task and this would ensure that for all those existing VMs, the backup policy is enforced on them as well.

The next thing that we have is to create a Managed identity, it is advised that managed identity is to be created in a region that is different than your source region because in scenarios where a disaster strikes, your source region, and even more Identity will go down. In this example, I would pick ‘North Europe’ for my managed identity location.

The purpose of this managed identity is to manage the virtual machines and backup resources. So what we are doing here, is basically creating a managed identity with Virtual Machine Contributor, and Backup Contributor permissions. This identity has access to back up your virtual machines to the specified Recovery Services vault. By doing this, all the management of backup resources and enabling backup of your VMs will be automatically managed by Azure Backup.
Now clicking on Next, you can set up a custom non-compliance message. This will reflect in case any of your existing VM is not protected by Azure Backup for whatsoever reason. So for example, I can set up a message (Non-compliant VM for Azure Backup. Please remediate.).

Click Next to continue. Finally, you can validate all the entries that you have entered and then click on ‘Create‘.

Once the assignment is created, it will take around 30 minutes to take effect.
Verify Azure Backup Policy Enforcement
In this section, we will verify how policy enforcement looks after it’s enabled.
I already have a couple of VMs that I have created using this policy which is assigned to the scope of my resource group.
Navigate to the resource group where the VMs are created, and then click on ‘Policies‘ on the left blade under Settings as shown in the figure below.

You can see all the policies that are existing in this resource group including the policy that I created in the previous section ‘Azure Backup Policy for West Europe VMs‘.

If you click on the policy, you will see all the VMs which are Compliant and Non-compliant state. This is basically the monitoring pane for the policy. You can see that all my VMs are in a compliant state, it is in ‘West Europe’ and is protected by Azure Backup as shown in the figure below.

You can select any compliant VM and then click on ‘View Resource‘. The VM blade will open where you can navigate to the ‘Backup ‘ page under Operations on the left-hand side. You can see that the VM is protected by Azure Backup and in a healthy state as shown in the figure below.

What if you have existing VMs deployed in that resource group before you assign the Backup policy? Remember the assignment only takes effect for the newly created resources (VMs). The existing VMs can be protected via a remediation task after the policy is assigned.
So during an evaluation cycle, the policy definition with a “DeployIfNotExists” effect that matches resources, is marked as non-compliant, however, after the policy finishes its evaluation, the backup will be auto-enabled on existing VMs as well. Because we selected to create a remediation task when assigning the policy definition as described in the previous section.
That’s it there you have it!
Summary
Azure Backup is a cloud-based backup solution that is part of a broad service presented to customers through Azure Recovery Services Vaults. Though cloud-native and platform as a service (PaaS), it is also possible to use Azure Backup on-premises as well as in the cloud. Azure Backup can replace your existing on-premises and off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
Azure Backup is simple to configure and use, offering consistent copies with security features and management controls via the Azure portal.
- Learn more on how Azure Backup Integrates with Azure File Sync – Part I
- Learn more on how Azure Backup Integrates with Azure File Sync – Part II
- Learn more on how to enable Azure Site Recovery (ASR) on VMs using Azure Policy
I hope this article gave you a broad overview of how to auto-enable Azure Backup with Azure Policy to help you minimize operations overhead, and increase data protection against security threats and ransomware attacks.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
Hello,
To be sure, we can’t enable automatically the “Enable Backup” for a VM, right?
All this procedure and only to check that the VMs are taken in backup?
There is no way to configure the backup of a VM after its deployment with predefined parameters
without having to do it during the deployment?
Hello Florian, thanks for your comment!
No, this is not true. We can enable automatically the “Enable Backup” for a VM with Azure Policy as shown in this article.
The configuration of the backup is done automatically after the VM is deployed or on existing VMs which are not protected with Azure Backup yet.
As noted in the article, the policy with a “DeployIfNotExists” effect that matches resources (VMs), is marked as non-compliant, however, after the policy finishes its evaluation, the backup will be auto-enabled on existing VMs as well.
Hope it helps!
Hi Charbel,
Very nice article!
Do you know if it’s possible to configure the policy to only add VMs to a backup policy if they’re not already assigned a policy?
Example: This policy could be used as a ‘security net’ where only the VM’s without a backup policy gets the “default” backup policy assigned.
Hello Lasse, thanks for the comment and feedback!
I understand what you want to accomplish, but I did not see the use case behind this scenario.
This policy as described in this article will auto-enable and configure backup for unprotected VMs.
So, I don’t understand why do you need another policy for this.
This policy will identify all the VM’s without a backup policy and then configure backup.
Hope it helps!
Hello Charbel – great article, thank you. Unfortunately it hasn’t worked in our organisation’s scenario, where we use Terraform to create VMs from an image we have placed in our Azure Compute Gallery. I have checked through the policy definition and it requires Image publisher, Image offer and Image plan to be set to specific values. Our values didn’t match, as we purposely set Image publisher as something different, but I have corrected that now, with a new definition, and the policy will not mark a VM as non-compliant,. To check I have set things up properly, I have created a VM manually from Azure Portal, using a built in Windows offering, and it works a treat – the VM is marked as non-compliant and then the VM is assigned to the policy I have selected. I have raised a ticket with MS about it not finding Terraform-created, azure compute gallery image VMs non-compliant, but so far they haven’t been able to explain why it won’t pick up on the VMs we create via Terraform. Don’t suppose you have come across this?
Hello Bill, thanks for the comment and I’m glad to hear that you found the article helpful!
I understand the frustration you’re facing with Azure Policy not marking Terraform-created VMs as non-compliant, despite adjusting the image publisher.
While I haven’t encountered this exact issue, I can offer a few suggestions to further troubleshoot:
Policy Evaluation Logs: Check the policy evaluation logs for Terraform-created VMs. This may provide insights into why the compliance status isn’t being updated.
Policy Exclusions: Ensure that there are no exclusions or overrides in place that might be affecting the policy evaluation for Terraform-created VMs.
Terraform Script Analysis: Review your Terraform scripts to ensure that all the required attributes (Image publisher, Image offer, Image plan) align with the policy requirements.
Additional Policy Definitions: Check if there are other policy definitions in your Azure environment that might conflict or interfere with the intended policy enforcement.
If the issue persists, continuing to work with Microsoft Support is advisable, as they have access to in-depth diagnostics and can offer tailored assistance for this specific issue.
I hope one of these suggestions helps in pinpointing and resolving this issue.