|
2 | 2 | title: Multi-user authorization using Resource Guard |
3 | 3 | description: An overview of Multi-user authorization using Resource Guard. |
4 | 4 | ms.topic: conceptual |
5 | | -ms.date: 06/08/2022 |
| 5 | +ms.date: 09/15/2022 |
6 | 6 | author: v-amallick |
7 | 7 | ms.service: backup |
8 | 8 | ms.author: v-amallick |
9 | 9 | --- |
10 | 10 | # Multi-user authorization using Resource Guard |
11 | 11 |
|
12 | | -Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. |
| 12 | +Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. |
| 13 | + |
| 14 | +>[!Note] |
| 15 | +>Multi-user authorization using Resource Guard for Backup vault is in preview. |
13 | 16 |
|
14 | 17 | ## How does MUA for Backup work? |
15 | 18 |
|
16 | | -Azure Backup uses the Resource Guard as an authorization service for a Recovery Services vault. Therefore, to perform a critical operation (described below) successfully, you must have sufficient permissions on the associated Resource Guard as well. |
| 19 | +Azure Backup uses the Resource Guard as an additional authorization mechanism for a Recovery Services vault or a Backup vault. Therefore, to perform a critical operation (described below) successfully, you must have sufficient permissions on the associated Resource Guard as well. |
17 | 20 |
|
18 | 21 | > [!Important] |
19 | | -> To function as intended, the Resource Guard must be owned by a different user, and the vault admin must not have Contributor permissions. You can place Resource Guard in a subscription or tenant different from the one containing the Recovery Services vault to provide better protection. |
| 22 | +> To function as intended, the Resource Guard must be owned by a different user, and the vault admin must not have Contributor permissions. You can place Resource Guard in a subscription or tenant different from the one containing the vaults to provide better protection. |
20 | 23 |
|
21 | 24 | ## Critical operations |
22 | 25 |
|
23 | | -The following table lists the operations defined as critical operations and can be protected by a Resource Guard. You can choose to exclude certain operations from being protected using the Resource Guard when associating vaults with it. Note that operations denoted as Mandatory cannot be excluded from being protected using the Resource Guard for vaults associated with it. Also, the excluded critical operations would apply to all vaults associated with a Resource Guard. |
| 26 | +The following table lists the operations defined as critical operations and can be protected by a Resource Guard. You can choose to exclude certain operations from being protected using the Resource Guard when associating vaults with it. |
| 27 | + |
| 28 | +>[!Note] |
| 29 | +>You can't excluded the operations denoted as Mandatory from being protected using the Resource Guard for vaults associated with it. Also, the excluded critical operations would apply to all vaults associated with a Resource Guard. |
| 30 | +
|
| 31 | +**Choose a vault** |
| 32 | + |
| 33 | +# [Recovery Services vault](#tab/recovery-services-vault) |
24 | 34 |
|
25 | | -**Operation** | **Mandatory/Optional** |
| 35 | +**Operation** | **Mandatory/ Optional** |
26 | 36 | --- | --- |
27 | 37 | Disable soft delete | Mandatory |
28 | 38 | Disable MUA protection | Mandatory |
29 | | -Modify backup policy (reduced retention) | Optional: Can be excluded |
30 | | -Modify protection (reduced retention) | Optional: Can be excluded |
31 | | -Stop protection with delete data | Optional: Can be excluded |
32 | | -Change MARS security PIN | Optional: Can be excluded |
| 39 | +Modify backup policy (reduced retention) | Optional |
| 40 | +Modify protection (reduced retention) | Optional |
| 41 | +Stop protection with delete data | Optional |
| 42 | +Change MARS security PIN | Optional |
| 43 | + |
| 44 | +# [Backup vault (preview)](#tab/backup-vault) |
| 45 | + |
| 46 | +**Operation** | **Mandatory/ Optional** |
| 47 | +--- | --- |
| 48 | +Disable MUA protection | Mandatory |
| 49 | +Delete backup instance | Optional |
| 50 | + |
| 51 | +--- |
33 | 52 |
|
34 | 53 | ### Concepts and process |
35 | | -The concepts and the processes involved when using MUA for Backup are explained below. |
| 54 | + |
| 55 | +The concepts and the processes involved when using MUA for Azure Backup are explained below. |
36 | 56 |
|
37 | 57 | Let’s consider the following two users for a clear understanding of the process and responsibilities. These two roles are referenced throughout this article. |
38 | 58 |
|
39 | | -**Backup admin**: Owner of the Recovery Services vault and performs management operations on the vault. To begin with, the Backup admin must not have any permissions on the Resource Guard. |
| 59 | +**Backup admin**: Owner of the Recovery Services vault or the Backup vault who performs management operations on the vault. To begin with, the Backup admin must not have any permissions on the Resource Guard. |
40 | 60 |
|
41 | 61 | **Security admin**: Owner of the Resource Guard and serves as the gatekeeper of critical operations on the vault. Hence, the Security admin controls permissions that the Backup admin needs to perform critical operations on the vault. |
42 | 62 |
|
43 | 63 | Following is a diagrammatic representation for performing a critical operation on a vault that has MUA configured using a Resource Guard. |
44 | 64 |
|
45 | | -:::image type="content" source="./media/multi-user-authorization/configure-mua-using-resource-card-diagram.png" alt-text="Diagrammatic representation on configuring M U A using a Resource Guard."::: |
| 65 | +:::image type="content" source="./media/multi-user-authorization/configure-multi-user-authorization-using-resource-guard-diagram.png" alt-text="Diagrammatic representation on configuring MUA using a Resource Guard."::: |
46 | 66 |
|
47 | | -Here is the flow of events in a typical scenario: |
| 67 | +Here's the flow of events in a typical scenario: |
48 | 68 |
|
49 | | -1. The Backup admin creates the Recovery Services vault. |
50 | | -1. The Security admin creates the Resource Guard. The Resource Guard can be in a different subscription or a different tenant with respect to the Recovery Services vault. It must be ensured that the Backup admin does not have Contributor permissions on the Resource Guard. |
| 69 | +1. The Backup admin creates the Recovery Services vault or the Backup vault. |
| 70 | +1. The Security admin creates the Resource Guard. The Resource Guard can be in a different subscription or a different tenant with respect to the vault. It must be ensured that the Backup admin doesn't have Contributor permissions on the Resource Guard. |
51 | 71 | 1. The Security admin grants the **Reader** role to the Backup Admin for the Resource Guard (or a relevant scope). The Backup admin requires the reader role to enable MUA on the vault. |
52 | | -1. The Backup admin now configures the Recovery Services vault to be protected by MUA via the Resource Guard. |
| 72 | +1. The Backup admin now configures the vault to be protected by MUA via the Resource Guard. |
53 | 73 | 1. Now, if the Backup admin wants to perform a critical operation on the vault, they need to request access to the Resource Guard. The Backup admin can contact the Security admin for details on gaining access to perform such operations. They can do this using Privileged Identity Management (PIM) or other processes as mandated by the organization. |
54 | 74 | 1. The Security admin temporarily grants the **Contributor** role on the Resource Guard to the Backup admin to perform critical operations. |
55 | 75 | 1. Now, the Backup admin initiates the critical operation. |
56 | 76 | 1. The Azure Resource Manager checks if the Backup admin has sufficient permissions or not. Since the Backup admin now has Contributor role on the Resource Guard, the request is completed. |
57 | | - - If the Backup admin did not have the required permissions/roles, the request would have failed. |
| 77 | + |
| 78 | + If the Backup admin didn't have the required permissions/roles, the request would have failed. |
| 79 | + |
58 | 80 | 1. The security admin ensures that the privileges to perform critical operations are revoked after authorized actions are performed or after a defined duration. Using JIT tools [Azure Active Directory Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) may be useful in ensuring this. |
59 | 81 |
|
60 | 82 | >[!NOTE] |
61 | | ->- MUA provides protection on the above listed operations performed on the Recovery Services vaults only. Any operations performed directly on the data source (i.e., the Azure resource/workload that is protected) are beyond the scope of the Resource Guard. |
62 | | ->- This feature is currently available via the Azure portal only. |
63 | | ->- This feature is currently supported for Recovery Services vaults only and not available for Backup vaults. |
| 83 | +>MUA provides protection on the above listed operations performed on the vaulted backups only. Any operations performed directly on the data source (that is, the Azure resource/workload that is protected) are beyond the scope of the Resource Guard. |
64 | 84 |
|
65 | 85 | ## Usage scenarios |
66 | 86 |
|
67 | | -The following table depicts scenarios for creating your Resource Guard and Recovery Services vault (RS vault), along with the relative protection offered by each. |
| 87 | +The following table lists the scenarios for creating your Resource Guard and vaults (Recovery Services vault and Backup vault), along with the relative protection offered by each. |
68 | 88 |
|
69 | 89 | >[!Important] |
70 | 90 | > The Backup admin must not have Contributor permissions to the Resource Guard in any scenario. |
71 | 91 |
|
72 | 92 | **Usage scenario** | **Protection due to MUA** | **Ease of implementation** | **Notes** |
73 | 93 | --- | --- |--- |--- | |
74 | | -RS vault and Resource Guard are **in the same subscription.** </br> The Backup admin does not have access to the Resource Guard. | Least isolation between the Backup admin and the Security admin. | Relatively easy to implement since only one subscription is required. | Resource level permissions/ roles need to be ensured are correctly assigned. |
75 | | -RS vault and Resource Guard are **in different subscriptions but the same tenant.** </br> The Backup admin does not have access to the Resource Guard or the corresponding subscription. | Medium isolation between the Backup admin and the Security admin. | Relatively medium ease of implementation since two subscriptions (but a single tenant) are required. | Ensure that that permissions/ roles are correctly assigned for the resource or the subscription. |
76 | | -RS vault and Resource Guard are **in different tenants.** </br> The Backup admin does not have access to the Resource Guard, the corresponding subscription, or the corresponding tenant.| Maximum isolation between the Backup admin and the Security admin, hence, maximum security. | Relatively difficult to test since requires two tenants or directories to test. | Ensure that permissions/ roles are correctly assigned for the resource, the subscription or the directory. |
77 | | - |
78 | | - >[!NOTE] |
79 | | - > For this article, we will demonstrate creation of the Resource Guard in a different tenant that offers maximum protection. In terms of requesting and approving requests for performing critical operations, this article demonstrates the same using [Azure Active Directory Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup. |
| 94 | +Vault and Resource Guard are **in the same subscription.** </br> The Backup admin does't have access to the Resource Guard. | Least isolation between the Backup admin and the Security admin. | Relatively easy to implement since only one subscription is required. | Resource level permissions/ roles need to be ensured are correctly assigned. |
| 95 | +Vault and Resource Guard are **in different subscriptions but the same tenant.** </br> The Backup admin doesn't have access to the Resource Guard or the corresponding subscription. | Medium isolation between the Backup admin and the Security admin. | Relatively medium ease of implementation since two subscriptions (but a single tenant) are required. | Ensure that that permissions/ roles are correctly assigned for the resource or the subscription. |
| 96 | +Vault and Resource Guard are **in different tenants.** </br> The Backup admin doesn't have access to the Resource Guard, the corresponding subscription, or the corresponding tenant.| Maximum isolation between the Backup admin and the Security admin, hence, maximum security. | Relatively difficult to test since requires two tenants or directories to test. | Ensure that permissions/ roles are correctly assigned for the resource, the subscription or the directory. |
80 | 97 |
|
81 | 98 | ## Next steps |
82 | 99 |
|
83 | | -[Configure Multi-user authorization using Resource Guard](multi-user-authorization.md) |
| 100 | +[Configure Multi-user authorization using Resource Guard](multi-user-authorization.md). |
0 commit comments