This article will show you how to leverage Multi-User Authorization (MUA) for Azure Backup to help you add a layer of authorization for critical backup operations like policy modifications, disabling soft delete, and vault deletions to safeguard against Ransomware and rogue admin scenarios.
Data protection in today’s world is becoming more critical than ever. With the increasing amounts of data in this all-connected world comes more data that needs to be protected. According to various reports, data protection is listed as one of the top 5 priorities that IT leaders and businesses continue to have in today’s world. However, backup security is still a challenging factor for many organizations today.
Table of Contents
Azure Backup ensures your backup data is stored securely by leveraging the built-in security capabilities of the Azure platform role-based access control (RBAC) and encryption. In addition, with the new capabilities for soft-delete, Azure Backup protects against any accidental and malicious attempts for deleting your backups.
With a powerful architecture built into Azure, Azure Backup does all this for you in a simple, secure, and cost-effective manner without needing you to worry about anything at all.
The Azure Backup team just announced a new security feature (
in public preview) called Multi-User Authorization (MUA) for Backup that allows you to add a layer of protection to critical operations on your Recovery Services vaults. For this, Backup uses a new Azure resource called the Resource Guard to ensure critical operations are performed only with proper authorization.
You can see the “Multi-User Authorization for Backup is now in
public preview” that you can configure in your existing Recovery Services vault, under Settings | Properties as shown in the figure below:
Updated – 15/07/2022 – Multi-user authorization (MUA) for Recovery Services vaults is now generally available.
Before we dive into the technical details of the solution and configuration, I want you to pause for a second, step back and think of the big picture. So up until today, we used to have a Backup admin and he could delete a backup. But with MUA, this person alone cannot delete a backup. He needs to request permission to delete the backup, and the Security admin needs to approve this critical operation.
How Multi-User Authorization for Azure Backup works
Azure Backup uses the Resource Guard as an authorization object for a Recovery Services vault. Hence, a user requesting a critical operation must have sufficient permissions on the Resource Guard as well to be able to successfully perform it. For this scenario to function as intended, the Resource Guard must be owned by a different user, and the Backup admin must not have contributor permissions on it.
Let me explain the process involved by introducing you to a popular concept in the security world called separation of duties (also known as Segregation of Duties), which is the concept of having more than one person required to complete a critical task.
Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that NO one person is solely in control.
As shown in the diagram below, we have two users (Security Admin / Backup Admin).
> Backup admin: Owner of the Recovery Services vault and performs management operations on the vault. The Backup admin does NOT have any permissions on the Resource Guard to start with.
> Security admin: Owner of the Resource Guard and serves as the gatekeeper of critical operations on the vault. Hence, the Security admin controls permissions the Backup admin has to perform critical operations on the vault. In this scenario, the security admin must approve those critical operations that are requested by the backup admin, hence, it increases protection from rogue admin and Ransomware attacks.
On the technical side, the process involves the following tasks:
1) The Backup admin creates first the Recovery Services vault.
2) The Security admin creates the Resource Guard. The Resource Guard can be in a different subscription or a different tenant with a right to the Recovery Services vault. It must be ensured that the Backup admin does not have Contributor permissions on the Resource Guard.
3) Next, the Security admin grants the Reader role to the Backup Admin for the Resource Guard (or the subscription containing the Resource Guard). The reader role is required by the Backup admin to enable MUA on the vault.
4) The Backup admin now configures the Recovery Services vault to be protected by MUA (via the Resource Guard).
5) Now if the Backup admin wants to perform a critical operation on the vault, they need to request access to the Resource Guard. They can do this using Privileged Identity Management (PIM) or other processes as mandated by your organization. The Backup admin can contact the Security admin for details on gaining access to perform such operations.
6) Next, the Security admin grants the Contributor role to the Backup admin to perform critical operations.
7) The Backup admin now initiates the critical operation.
8) The Azure Resource Manager (ARM) checks if the Backup admin has sufficient permissions as follows:
- If the Backup admin has a Contributor role on the Resource Guard (Step 6), then the request is completed.
- If the Backup admin did not have the required permissions/roles, then the request would have failed.
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Azure Resource Group (RG).
3) The Resource Guard and the Recovery Services vault must be in the same Azure region (e.g West Europe).
4) The Backup admin persona should NOT have the “Contributor” permissions on the Resource Guard or the subscription that contains it. This is a very important step, otherwise, the Multi-User Authorization process won’t work.
5) Updated – 15/07/2022 – the supported critical operations with MUA are (Disable Soft delete, Remove MUA protection, Delete protection, Modify protection, Modify policy, and Get Backup security PIN). Please note that the following two operations Disable soft delete and Remove MUA protection cannot be disabled. Those operations are considered very critical.
6) You need to have at least one Azure Recovery Services vault created. Please check the following quick start guide to create and configure a Recovery Services vault. The Backup admin must have the “Contributor” role on the vault itself or on the resource group where the Recovery Services vault is created.
Please note that the Multi-User Authorization (MUA) protects the critical operations performed on the Recovery Services vaults only and not directly on the resource itself.
For this article, we will test the following scenario:
> Recovery Services vault and Resource Guard are in the same subscription. The backup admin does not have access to the Resource Guard.
There are other complicated scenarios that you can accomplish using different subscriptions and/or two different tenants or directories. Please refer to the official documentation here for more information.
Assuming you have all the prerequisites in place, take now the following steps:
Creating a Resource Guard
The first step is to create a Resource Guard resource. This step must be performed by the Security admin persona. Please note that the Backup admin must NOT have ‘Contributor’ access on the Resource Guard or the subscription that contains it.
Open the Azure Portal, search for “Resource Guards“, then click “+ Create” to start creating a new Resource Guard.
In the create blade, you need to fill in the required details for this Resource Guard as shown in the figure below.
- First, you need to make sure the Resource Guard is in the same Azure regions as the Recovery Services vault. In this example, West Europe.
- Next, add a description with details about how to get or request access to perform actions on associated vaults when needed. This description would also appear in the associated vaults for guiding the backup admin on how to get the required permissions. For example, you can enter: To gain permissions and perform critical backup operations, please use Privileged Identity Management (PIM).
As mentioned earlier, the Resource Guard can be in a different subscription or in a different tenant as the vault. However, it should be in the same Azure region as the Recovery Services vault. In this example, the Resource Guard and the vault are in the same subscription and in the same region.
Optionally, you can add any tags to the Resource Guard as per your requirements. Next, click ‘Review + Create’ when done, and then click ‘Create’.
You will receive a notification message that the Resource Guard creation was completed successfully.
Assign Reader role on the subscription
As a Security admin, you need to assign the ‘Reader’ role on the subscription containing the Resource Guard resource. This could be on the same subscription or another one.
As a Security admin, login to the Azure Portal and navigate to the subscription where the Resource Guard is created as described in the previous step. Then browse to the Access control (IAM) blade of the Resource Guard on the corresponding subscription and set the ‘Reader’ role for the user(s) or security group as shown in the figure below. Please note you can assign the ‘Reader’ role on the management group level instead of a subscription.
Please note that this step is required by the subsequent step where the Backup admin needs to enable Multi-User Authorization (MUA) on the Recovery Services vault.
Enable MUA on a Recovery Services vault
In this step, the Backup admin needs to enable Multi-User Authorization (MUA) on the Recovery Services vault.
Once the ‘Reader’ role is assigned as described in the previous step, the Backup admin login with their account and then goes to the Recovery Services vault, he navigates to ‘Properties’ on the left navigation panel, then under ‘Multi-User Authorization’ click ‘Update’ as shown in the figure below.
Next, the Backup admin is presented with the option to enable MUA and choose the Resource Guard as shown in the figure below.
You have two options to enable MUA:
1) You can either specify the URI of the Resource Guard, or make sure you specify the URI of a Resource Guard that you have ‘Reader’ access to and that is the same region as the Recovery Services vault. As the Security Admin to give you this information, you can find the URI (Resource Guard ID) of the Resource Guard on its ‘Overview’ page as shown in the figure below.
2) Or the easier way is to select the Resource Guard from the list of Resource Guards you have ‘Reader’ access to which are available in the same region. Click ‘Select Resource Guard’, and then click on the dropdown list and select the directory (tenant) where the Resource Guard is created. Once done click ‘Authenticate’ to validate your identity and access. Once authenticated, choose the Resource Guard from the list displayed as shown in the figure below.
And finally, click ‘Save’ once Resource Guard is selected to enable MUA.
Protect against critical backup operations
Once you have enabled Multi-User Authorization (MUA) as described in the previous step, the critical operations in scope (i.e., Disable Soft delete) will be restricted on the Recovery Services vault. For example, if the Backup admin tries to perform those operations without having the required role (i.e., Contributor role) on the Resource Guard.
The below workflow is an illustration of what happens when the Backup admin tries to perform such a protected operation (i.e., Disable Soft delete).
1) The Backup admin login with his account and then navigates to the Recovery Services Vault > Properties > Security Settings and clicks on Update.
2) Next, the Backup admin tries to disable soft delete by toggling the slider as shown in the figure below and then clicking Save.
3) When they proceed to click ‘Save’ the request fails with an error informing them about not having sufficient permissions on the Resource Guard to let them perform this operation as shown in the figure below.
4) If the Resource Guard is in a different tenant (directory) of the vault, they will be informed that this is a protected operation and they need to verify their access to the Resource Guard.
5) Next, they can choose the directory containing the Resource Guard and Authenticate themselves.
Similarly, if the Backup admin tries to disable and remove the Resource Guard from the Recovery Services Vault > Properties > Multi-User Authorization > Update, and then uncheck Protect with Resource Guard, they will get an error message once they click ‘Save’ as shown in the figure below.
Authorizing critical backup operations with PIM
There are cases where the Backup admin may need to perform critical operations on your backups. MUA can help you ensure that these operations are performed only when the right organizational approvals or permissions exist.
To proceed with any critical backup operations, the Backup admin needs to have the ‘Contributor’ role on the Resource Guard.
The Backup admin requests the ‘Contributor’ role from the Security admin on the Resource Guard. This access can be requested using different methods which are approved by the organization such as Just-In-Time (JIT) procedures, like Azure AD Privileged Identity Management (PIM), or other internal tools and procedures.
For this example, we will leverage Azure AD Privileged Identity Management (PIM) to request permissions, approve, and then perform critical operations.
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Please note that PIM requires an Azure AD Premium P2 license, you can find more details here.
In the following example, I am using a Resource Guard created in the same tenant containing the Recovery Services vault (Backup tenant). Please remember this is just one example of implementing approval-based JIT access to the Resource Guard. As mentioned above, you can also have the Resource Guard created in a different tenant from the one containing the Recovery Services vault tenant.
Assuming you have the required license in place, take now the following steps.
Step 1 – Create eligible assignment (Security admin)
As a Security admin, you need first to create an eligible assignment (as a Contributor) for the Backup admin.
From the tenant where the Resource Guard is created, open the Azure Portal, search for “Privileged Identity Management“, then under ‘Manage’ on the left menu blade, select Azure Resources.
Make sure the ‘Resource Type:’ is set to Resource or Resource group to which you want to assign the ‘Contributor’ role, and then search for the Resource Guard (Resource or RG) as shown in the figure below.
Once you selected the Resource Guard resource, navigate to ‘Assignments’ under the ‘Manage’ section on the left menu, and then click ‘+ Add assignments’.
Next, select the role as ‘Contributor’, then go to ‘Select members’ and add the username (or email IDs) of the Backup admin as shown in the figure below. Click ‘Next >’ to continue.
Under Assignment type, choose ‘Eligible’, and then specify the duration for which the eligibility permission is valid. The maximum allowed eligible duration is 1 year.
Finally, click ‘Assign’.
Step 2 – Enable approval for requests (Security admin)
The next step is to enable the approval requests. The Security admin must specify that all requests for ‘Activating’ an eligible request must be approved by the Security admin or by a team member of the security department.
Select the resource (the Resource Guard or the containing subscription/RG) for which you created the eligible assignment as described in the previous step.
In the selected resource, navigate to ‘Assignments’ under the ‘Manage’ section on the left menu, then go to ‘Settings’ on the top menu as shown in the figure below.
Next, search and select the ‘Contributor’ role from the list of roles displayed. On the ‘Role settings details – Contributor’ page, click the Edit button.
On the ‘Edit role setting – Contributor’ page, enable ‘Require approval to activate’ and then add the approvers who need to approve any incoming request for activation as shown in the figure below (this could be an individual member or a security group).
You can also modify other settings as per your organization’s requirements such as the maximum duration for the activation (hours), etc.
Once done, click ‘Update’.
Step 3 – Create a request for activation (Backup admin)
Now, whenever the Backup admin needs to perform a critical backup operation on a Multi-User Authorization (MUA) enabled Recovery Services vault, the Backup admin should raise a request using PIM for the approvers to approve it.
The Backup admin navigates to the “Privileged Identity Management” in the Azure portal. Please note that if the Resource Guard is created in a different tenant, then the Backup admin must switch the directory and go to the directory that contains the Resource Guard.
Next, navigate to ‘My roles’ > ‘Azure resources’ on the left menu.
The Backup admin will see an ‘Eligible assignments’ for the ‘Contributor’ role. Under the Action column, click ‘Activate’ to activate it as shown in the figure below.
Next, the Backup admin needs to provide an activation reason, he could also set the activation start time, and finally, click ‘Activate’.
The Backup admin is informed via the Azure Portal notification that the request is sent for approval.
Step 4 – Approve activation request (Security admin)
The final step is to approve the request by the Security admin.
The Security admin now needs to approve the request for assigning the ‘Contributor’ role to the Backup admin.
In the tenant where the Resource Guard is created, the Security admin navigates to ‘Privileged Identity Management’ > ‘Approve Requests’ > ‘Azure resources’.
The Security admin sees a request from the Backup admin requesting activation as ‘Contributor’.
If the Security admin finds the request to be legitimate, they ‘Approve’ it as shown in the figure below.
Next, the Backup admin is informed by email (or other organizational alerting mechanisms) that their request is now approved.
The Backup admin has now the ‘Contributor’ role and he can perform critical backup operations directly in the Recovery Services vault.
That’s there you have it!
In this article, I showed you how to use Multi-User Authorization (MUA) in Azure Backup that can help you to add a layer of authorization for critical backup operations like policy modifications, disabling soft delete, and vault deletions to safeguard against Ransomware and rogue admin scenarios.
Resource Guards provide an additional authorization layer to protect critical operations that can affect data availability. As illustrated in this guide, you need to ensure that you have Resource Guard Reader permissions on the Resource Guard before protecting the vault. Removing Resource Guard protection will always require additional authorization.
With MUA, the Backup admin could request permission to perform critical operations such as disabling soft delete, deleting backups, etc. from the security admin using Privileged Identity Management (PIM) service. The Security admin could grant Just-In-Time (JIT) access to the Backup admin to operate using PIM, and then the access is removed automatically.
At the time of this writing, the supported critical operations with MUA are (Disable Soft delete and Remove MUA protection), more backup operations are coming very soon such as modifying backup policy, stop protection, etc. Stay Tuned!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.