You dont have javascript enabled! Please enable it! Ransomware Protection With Azure Backup | Expert Guide - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Ransomware Protection With Azure Backup | Expert Guide

9 Min. Read

I’m sure you know the continuous increase in ransomware attacks across industries worldwide. These attacks have been increasing, not only in terms of frequency but in terms of the complexity and sophistication that happen every day. Backups are a key target for ransomware attackers and hence a rise in the need for security and ransomware protection for our backups.

It is crucial to have a solid business continuity and disaster recovery (BCDR) strategy in place to effectively address ransomware attacks and reduce their impact on your business operations. This comprehensive guide will discuss how to protect your backups from ransomware with Azure Backup.


Azure Backup ensures your backup data is stored securely by leveraging the built-in security capabilities of the Azure platform role-based access control (RBAC) and encryption. In addition, with the new capabilities for soft-deleteMulti-User Authorization, and Immutable vault, Azure Backup protects against any accidental and malicious attempts to delete your backups.

With a powerful architecture built into Azure, Azure Backup does all this for you in a simple, secure, and cost-effective manner without needing you to worry about anything at all.

Some of the recent surveys have shown some unpleasant statistics. In 2022 every 11 seconds a company was hit by a ransomware attack and the average cost it took to recover from the ransomware attack is around 1.4 million dollars. Only 57% of these companies they’re able to recover their data successfully, hence we can understand that backup must be secured from any threats like ransomware, data exfiltration, tampering, and encryption from malicious insider or outsider attackers.

Azure Backup has incorporated many security capabilities that are part of the Business Continuity and Disaster Recovery (BCDR) strategy for organizations. We have capabilities that help you control who accesses your data with Multi-factor authentication (MFA) including custom and user-predefined roles with role-based access control. We also have a ransomware protection capability called Multi-User Authorization (MUA) which we will discuss later.

Your backups are encrypted by default, but you can store them securely and have encryption at rest with customer-managed keys. You can also leverage private endpoints to perform and store your backups securely.

With immutable vaults and soft delete, you can keep your BCDR data safe and recoverable from accidental or malicious deletions. Azure Backup includes features to govern and manage your backup data that help improve your security posture with security alerts and compliance certifications.

Ransomware Protection with Azure Backup

Let’s dive in and showcase each Azure Backup security feature in more detail.

Authentication and Authorisation

Azure Backup uses Microsoft Entra ID (formerly, Azure Active Directory) for Identity Management which will help you leverage the Multi-factor authentication (MFA) advanced security to protect your data against compromised credentials.

You can manage access to backup resources using Azure role-based access control (Azure RBAC) to protect against unauthorized access, you can define and create custom roles, as well as use predefined built-in roles provided by Azure Backup:

* Backup Contributor – This role has all permissions to create and manage backup except deleting the Recovery Services vault and giving access to others. Imagine this role as admin of backup management who can do every backup management operation.

* Backup Operator – This role has permission to do everything as the Backup Contributor does except remove backup and manage backup policies. This role is equivalent to contributor except it can’t perform destructive operations such as stop backup with delete data or remove registration of on-premises resources.

* Backup Reader – This role has permission to view all backup management operations. Consider this role to be a monitoring person.

Azure Backup allows you to segregate duties within your team to grant only the amount of access necessary for your team members to do their jobs using Azure role-based access control (Azure RBAC) to manage Azure Backup. By combining Microsoft Entra Privileged Identity Management (PIM), you can provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused permissions.

We do have also an additional capability called Multi-User Authorization (MUA) which provides protection against malicious insider or outsider attacks that leverages Azure Resource Guard, which acts as a protective layer in between whenever a user is trying to perform a critical operation on your Recovery Services Vault or Backup Vault.

Azure Backup uses the Resource Guard as an authorization object for a Recovery Services Vault / Backup Vault. Hence, a user requesting a critical operation must have sufficient permissions on the Resource Guard as well to be able to successfully perform it. For this scenario to function as intended, the Resource Guard must be owned by a different user, and the Backup admin must not have contributor permissions on it.

Multi-User Authorization for critical operations
Multi-User Authorization for critical operations

Multi-User Authorization protects the following six critical operations:

  • Delete protection
  • Modify protection
  • Modify policy
  • Remove MUA protection
  • Generate Backup Security PIN
  • Disable Soft Delete or security features

The request access must be performed through Microsoft Entra Privileged Identity Management (PIM).

Related: Step-by-Step Protect Critical Backup Operations with Multi-User Authorization.

Backup Encryption

By default, backup data at rest is encrypted using platform-managed keys (PMK). For vaulted backups, you can choose to use customer-managed keys (CMK) to own and manage the encryption keys yourself. You must enable System-assigned or User-assigned managed identity on the Recovery Services vault to be able to use encryption with your key.

You must ensure that the managed identity for the Recovery Services vault has access to the selected Key Vault. Also, please ensure that both soft delete and purge protection are enabled on the selected Key Vault.

Azure Backup Encryption Settings
Azure Backup Encryption Settings

Additionally, you can configure encryption on the storage infrastructure using infrastructure-level encryption, which along with CMK encryption provides double encryption of data at rest.

Azure Backup Infrastructure encryption
Azure Backup Infrastructure encryption

Private Endpoints for Azure Backup

With Azure Backup, you can safely backup and restore your data using private endpoints from your Recovery Services vaults. Private endpoints use one or more private IP addresses from your Azure Virtual Network (VNet), which means that the service is effectively brought into your VNet, making it more secure. Currently, Private endpoints are not supported for Backup vaults.

First, you need to deny public network access to the Recovery Services vault as shown in the figure below. You can only create private endpoints for new Recovery Services vaults that don’t have any items registered/protected in the vault.

Deny public network access to the Recovery Services vault
Deny public network access to the Recovery Services vault

Once you deny access, you can still access the vault, but you can’t move data to/from networks that don’t contain private endpoints. So, you would need a private endpoint.

To create private endpoints for Azure Backup, go to the Recovery Services vault for which you want to create private endpoints > Networking. Go to the Private access tab and select +Private endpoint to start creating a new private endpoint as shown in the figure below.

Create private endpoints for Azure Backup
Create private endpoints for Azure Backup

The private endpoints in the vault are enabled for backup and restore of SQL and SAP HANA workloads running in an Azure VM, MARS agent backup, DPM server 2022, MABS version 4, and later. However, you can also use the vault for backup of other workloads without requiring private endpoints. Apart from being used for backup of SQL and SAP HANA workloads and backup using the MARS agent, private endpoints are also used for file recovery of Azure VM backup.

Alerts and Notifications

Azure Backup provides multiple monitoring and notification capabilities for a wide range of scenarios that help you to:

  • Monitor backup jobs and backup instances
  • Monitor overall backup health
  • Get alerted to critical backup incidents
  • Analyze historical trends
  • Audit user-triggered actions on vaults

Azure Backup offers alerts through Azure Monitor, providing a consistent experience for managing alerts across various Azure services, including Azure Backup. With Azure Monitor alerts, you can direct notifications to any supported notification channel, such as email, ITSM, Webhook, Logic App, and more. Make sure to switch to Azure Monitor alerts by going to the Vault > Properties > Monitor Settings > Update > Select Use only Azure monitor alerts and click Save as shown in the figure below.

Monitoring and reporting solutions for Azure Backup
Monitoring and reporting solutions for Azure Backup

Currently, Azure Backup provides two main types of built-in alerts:

* Security Alerts: For scenarios, such as deletion of backup data, or disabling of soft-delete functionality for vault, security alerts (of Severity Sev 0) are fired, and displayed in the Azure portal or consumed via other clients (PowerShell, CLI, and REST API). Security alerts are generated by default and can’t be turned off. However, you can control the scenarios for which the notifications (for example, emails) should be fired.

* Job Failure Alerts: For scenarios, such as backup failure and restore failure, Azure Backup provides built-in alerts via Azure Monitor (of Severity Sev 1). Unlike security alerts, you can choose to turn off Azure Monitor alerts for job failure scenarios. For example, you’ve already configured custom alert rules for job failures via Log Analytics, and don’t need built-in alerts to be fired for every job failure. By default, alerts for job failures are turned on.

For Recovery Services vaults and Backup vaults, you no longer need to use a feature flag to opt into alerts for job failure scenarios. Built-in Azure Monitor alerts are generated for job failures by default.

Last, Azure Backup sends diagnostics events that can be collected and used for the purposes of analysis, alerting, investigating, and reporting. You can configure diagnostics settings for Recovery Services vaults and Backup vaults via the Azure portal by going to the vault and selecting Diagnostics settings. Selecting + Add Diagnostic Setting lets you send one or more diagnostic events to a storage account, partner solution, event hub, or Log Analytics workspace.

Diagnostics events available for Azure Backup
Diagnostics events available for Azure Backup

Azure Backup provides the following diagnostics events. Each event provides detailed data on a specific set of backup-related artifacts:

  • CoreAzureBackup
  • AddonAzureBackupProtectedInstance
  • AddonAzureBackupJobs
  • AddonAzureBackupPolicy
  • AddonAzureBackupStorage

Data Recoverability with Soft Delete

With Soft Delete you can ensure data recoverability for free up to 14 days. Soft Delete is enabled by default on a newly created Recovery Services vault and Backup vault. It protects backup data from accidental or malicious deletes at no additional cost, allowing the recovery of that backup item before it’s permanently lost. It’s highly recommended not to disable this feature.

Data Recoverability with Soft Delete
Data Recoverability with Soft Delete

To enable Soft Delete, you first need to go to the Vault > Properties > Security Settings > Update > Select Enable Soft Delete and click Update as shown in the figure below. Soft Delete is supported for cloud workloads, as well as for hybrid workloads (using MARS, SCDPM, or MABS). Enabling soft delete for hybrid workloads also enables other security settings, such as Multi-factor authentication and alert notification for backup of workloads running in the on-premises servers.

Enable Azure Backup Soft Delete settings
Enable Azure Backup Soft Delete settings

We have also Enhanced Always-On Soft Delete which can be turned on and confirm that this operation is irreversible so that no malicious attacker can try to delete your data. Always-On soft delete is supported for Recovery Services vaults and Backup vaults.

Enable Azure Backup Always-on soft delete
Enable Azure Backup Always-on soft delete

When you enable Soft Delete, you can change the recovery period from 14 days up to a maximum of 180 days, 14 days is free of charge. You can recover your data during the Soft Delete retention period for up to 180 days.

Enable Immutable Vaults

Immutable Vaults help you protect your data by making sure that there are no destructive operations performed on your data. When you enable immutability on your vault, a recovery point once created cannot be deleted before its intended expiry, or have its retention period reduced as per the backup policy defined.

The Immutable Vaults is a vault-level setting that can be configured for both Recovery Services vaults as well as Backup vaults, some of the critical operations like stop protection with deleting data as well as modifying policies to reduce the retention period will be blocked by this security capability.

Firstly, let us go through the experience of the user where the immutability is disabled on the Recovery Services vault. When I go to the vault properties, I can view the immutability setting listed and see that it is “Not enabled” on this vault.

Immutable vault Not Enabled
Immutable vault Not Enabled

Now let us assume a scenario where a malicious intruder gains access to my credentials. They can go to the backup policy and can reduce the retention period of the associated items in the vault so that they expire sooner and result in data loss.

If they go to the backup items on the vault, they can see that they can stop the backup and delete the data forever in two steps. These actions result in data loss and immutability will protect your data against these ransomware scenarios.

Stop Backup and Delete Backup data
Stop Backup and Delete Backup data

To enable immutability, you first need to go to the Vault > Properties > Immutable Vault > Settings > Select Enable and click Apply as shown in the figure below.

Enable vault immutability
Enable vault immutability

Now, if we try to perform the same actions that a ransomware attacker tried previously. If they try to reduce the retention policy associated, you can see that they’re unable to reduce the backup policy as immutability is enabled on the vault.

Modify Backup Policy with immutability-enabled
Modify Backup Policy with immutability-enabled

Next, let’s try to stop backups. We can see that they do not have the option to delete data (only retain backup data) and the recovery points cannot expire before their retention policy.

Stop Backup experience with immutability-enabled
Stop Backup experience with immutability-enabled

With immutable vaults, you can protect your data against accidental or malicious deletions using different operations.

After reviewing my backup items and the associated policies, I can make immutability irreversible by updating the lock on immutability and consent to understand that this operation is irreversible. This enables me to protect the vault data against malicious intruders who try to disable the immutability setting and proceed to delete data.

Lock immutability for Backup vault
Lock immutability for Backup vault

Monitoring and Assessing the Security Posture

It’s important to make the most of Azure Backup’s capabilities to ensure that your backups are protected in a way that meets your needs. One way to do this is by using the BCDR security posture to assess the security of your backups and identify ways to improve it.

The Security Posture feature on the New Azure Business Continuity Center (ABCC) dashboard helps you evaluate the security of your BCDR data. It assesses how well-prepared you are to recover from any ransomware attacks, and checks if you can rely on your backup systems.

To help you protect your data, Backup uses security levels to categorize the security of your resources. These levels, which include ‘Excellent’, ‘Good’, ‘Fair’, and ‘Poor’, are determined based on the state of your vaults’ security settings. These settings include immutable vaults, soft delete, and multi-user authorization.

Azure Business Continuity Center | Security posture
Azure Business Continuity Center | Security posture

The security levels in the Business Continuity Center are described as follows:

  • Excellent security: All backups are protected against accidental deletion and ransomware attacks. To achieve excellent security, the following conditions must be true:
    • Either the immutability vault or soft-delete vault setting must be enabled and irreversible (locked/always-on).
    • Multi-user authorization (MUA) must be enabled on the vault.
  • Good security: Existing backups are protected against accidental deletions and offer better chances of data recovery. To achieve good security, either the immutability vault with a lock or soft delete must be enabled.
  • Fair security: All critical backup operations will have an additional layer of protection. To achieve fair security, multi-user authorization (MUA) must be enabled on the vault.
  • Poor security: Neither advanced protection capability is enabled, nor only reversible capabilities are enabled. Poor security can only provide protection against accidental deletions.

At the time of this writing, Azure Business Continuity Center (ABCC) is only supported in the West Central US region. More regions will be added soon.

There you have it! Happy Ransomware Protection with Azure Backup!!!

In Summary

This comprehensive guide delves into the imperative topic of safeguarding against the rising threat of ransomware attacks using Microsoft Azure Backup. We introduced Azure Backup as a robust solution, utilizing the security features inherent in the Azure platform, including role-based access control (RBAC), encryption, soft-delete, Multi-User Authorization, and Immutable vaults.

Then we explored Azure Backup’s security capabilities, such as Multi-factor Authentication (MFA), role-based access control, Multi-User Authorization (MUA), backup encryption, private endpoints, security alerts, and features like Soft Delete and Immutable Vaults that collectively fortify data protection against accidental or malicious deletions.

We concluded the guide by looking at how to enable Immutable Vaults, showcasing the effectiveness of these security measures in shielding data against potential ransomware scenarios.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Update Rollup 2 for System Center 2022 is Now Available

Mastering Remote Desktop Services on AWS | Expert Guide


Let us know what you think, or ask a question...