You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The concepts and the processes involved when using MUA for Azure Backup are explained below.
56
56
57
-
Let’s consider the following two users for a clear understanding of the process and responsibilities. These two roles are referenced throughout this article.
57
+
Let’s consider the following two personas for a clear understanding of the process and responsibilities. These two personas are referenced throughout this article.
58
58
59
-
**Backup admin**: Owner of the Recovery Services vault or the Backup vault who performs management operations on the vault. To begin with, the Backup admin must not have any permissions on the Resource Guard.
59
+
**Backup admin**: Owner of the Recovery Services vault or the Backup vault who performs management operations on the vault. To begin with, the Backup admin must not have any permissions on the Resource Guard. This can be *Backup Operator* or *Backup Contributor* RBAC role on the Recovery Services vault.
60
60
61
-
**Security admin**: Owner of the Resource Guard and serves as the gatekeeper of critical operations on the vault. Hence, the Security admin controls permissions that the Backup admin needs to perform critical operations on the vault.
61
+
**Security admin**: Owner of the Resource Guard and serves as the gatekeeper of critical operations on the vault. Hence, the Security admin controls permissions that the Backup admin needs to perform critical operations on the vault. This can be *Backup MUA Admin* RBAC role on the Resource Guard.
62
62
63
63
Following is a diagrammatic representation for performing a critical operation on a vault that has MUA configured using a Resource Guard.
64
64
@@ -67,20 +67,22 @@ Following is a diagrammatic representation for performing a critical operation o
67
67
Here's the flow of events in a typical scenario:
68
68
69
69
1. The Backup admin creates the Recovery Services vault or the Backup vault.
70
-
1. The Security admin creates the Resource Guard. The Resource Guard can be in a different subscription or a different tenant with respect to the vault. It must be ensured that the Backup admin doesn't have Contributor permissions on the Resource Guard.
71
-
1. The Security admin grants the **Reader** role to the Backup Admin for the Resource Guard (or a relevant scope). The Backup admin requires the reader role to enable MUA on the vault.
72
-
1. The Backup admin now configures the vault to be protected by MUA via the Resource Guard.
73
-
1. Now, if the Backup admin wants to perform a critical operation on the vault, they need to request access to the Resource Guard. The Backup admin can contact the Security admin for details on gaining access to perform such operations. They can do this using Privileged Identity Management (PIM) or other processes as mandated by the organization.
74
-
1. The Security admin temporarily grants the **Contributor** role on the Resource Guard to the Backup admin to perform critical operations.
75
-
1. Now, the Backup admin initiates the critical operation.
76
-
1. The Azure Resource Manager checks if the Backup admin has sufficient permissions or not. Since the Backup admin now has Contributor role on the Resource Guard, the request is completed.
70
+
2. The Security admin creates the Resource Guard.
77
71
78
-
If the Backup admin didn't have the required permissions/roles, the request would have failed.
72
+
The Resource Guard can be in a different subscription or a different tenant with respect to the vault. Ensure that the Backup admin doesn't have Contributor permissions on the Resource Guard.
79
73
80
-
1. The security admin ensures that the privileges to perform critical operations are revoked after authorized actions are performed or after a defined duration. Using JIT tools [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) may be useful in ensuring this.
74
+
3. The Security admin grants the Reader role to the Backup Admin for the Resource Guard (or a relevant scope). The Backup admin requires the reader role to enable MUA on the vault.
75
+
4. The Backup admin now configures the vault to be protected by MUA via the Resource Guard.
76
+
5. Now, if the Backup admin or any user who has write access to the vault wants to perform a critical operation that is protected with Resource Guard on the vault, they need to request access to the Resource Guard. The Backup Admin can contact the Security admin for details on gaining access to perform such operations. They can do this using Privileged Identity Management (PIM) or other processes as mandated by the organization. They can request for “Backup MUA Operator” RBAC role which allows users to perform only critical operations protected by the Resource Guard and does not allow to delete the resource Guard.
77
+
6. The Security admin temporarily grants the “Backup MUA Operator” role on the Resource Guard to the Backup admin to perform critical operations.
78
+
7. Then the Backup admin initiates the critical operation.
79
+
8. The Azure Resource Manager checks if the Backup admin has sufficient permissions or not. Since the Backup admin now has “Backup MUA Operator” role on the Resource Guard, the request is completed. If the Backup admin doesn't have the required permissions/roles, the request will fail.
80
+
9. The Security admin must ensure to revoke the privileges to perform critical operations after authorized actions are performed or after a defined duration. You can use *JIT tools Microsoft Entra Privileged Identity Management* to ensure the same.
81
81
82
-
>[!NOTE]
83
-
>MUA provides protection on the above listed operations performed on the vaulted backups only. Any operations performed directly on the data source (that is, the Azure resource/workload that is protected) are beyond the scope of the Resource Guard.
82
+
83
+
>[!Note]
84
+
>- If you grant the **Contributor** role on the Resource Guard access temporarily to the Backup Admin, it also provides the delete permissions on the Resource Guard. We recommend you to provide **Backup MUA Operator** permissions only.
85
+
>- MUA provides protection on the above listed operations performed on the vaulted backups only. Any operations performed directly on the data source (that is, the Azure resource/workload that is protected) are beyond the scope of the Resource Guard.
0 commit comments