You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Recovery Services vaults.
20
-
21
-
This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup.
19
+
This article describes how to configure Multi-User Authorization (MUA) for Azure Backup to enhance the security of critical operations on Recovery Services vaults. It covers the creation of a Resource Guard in a separate tenant for maximum protection and demonstrates how to request and approve critical operation access using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) within the tenant hosting the Resource Guard. Alternatively, you can use other methods to manage just-in-time (JIT) permissions based on your organizational setup.
22
20
23
21
>[!NOTE]
24
22
>- Multi-user authorization for Azure Backup is available in all public Azure regions.
25
23
>- Multi-user authorization using Resource Guard for Backup vault is now generally available. [Learn more](multi-user-authorization.md?pivots=vaults-backup-vault).
26
24
27
-
## Before you start
25
+
## Prerequisites
26
+
27
+
Before you configure Multi-user authorization for a Recovery Services vault, ensure that the following prerequisites are met:
28
28
29
-
-Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
30
-
-Ensure the Backup admin does**not** have **Contributor**, **Backup MUA Admin**, or **Backup MUA Operator** permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
31
-
-Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the providers - **Microsoft.RecoveryServices** and **Microsoft.DataProtection** . For more information, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
29
+
-The Resource Guard and the Recovery Services vault must be in the same Azure region.
30
+
-The Backup admin must**not** have **Contributor**, **Backup MUA Admin**, or **Backup MUA Operator** permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
31
+
-The subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants) must be registered to use the providers - **Microsoft.RecoveryServices** and **Microsoft.DataProtection** . For more information, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
32
32
33
33
Learn about various [MUA usage scenarios](./multi-user-authorization-concept.md?tabs=recovery-services-vault#usage-scenarios).
34
34
@@ -51,7 +51,7 @@ To create the Resource Guard in a tenant different from the vault tenant, follow
51
51
:::image type="content" source="./media/multi-user-authorization/resource-guards.png" alt-text="Screenshot shows how to search resource guards." lightbox="./media/multi-user-authorization/resource-guards.png":::
52
52
53
53
- Select **Create** to start creating a Resource Guard.
54
-
- In the create blade, fill in the required details for this Resource Guard.
54
+
- In the create pane, fill in the required details for this Resource Guard.
55
55
- Make sure the Resource Guard is in the same Azure regions as the Recovery Services vault.
56
56
- Also, it's helpful to add a description of how to get or request access to perform actions on associated vaults when needed. This description would also appear in the associated vaults to guide the backup admin on getting the required permissions. You can edit the description later if needed, but having a well-defined description at all times is encouraged.
57
57
@@ -95,7 +95,7 @@ To exempt operations, follow these steps:
95
95
96
96
>[!Note]
97
97
> You can't disable the protected operations - **Disable soft delete** and **Remove MUA protection**.
98
-
1. Optionally, you can also update the description for the Resource Guard using this blade.
98
+
1. Optionally, you can also update the description for the Resource Guard using this pane.
@@ -146,7 +146,7 @@ To update the operations that are to be excluded from being protected by the res
146
146
147
147
To enable MUA on a vault, the admin of the vault must have **Reader** role on the Resource Guard or subscription containing the Resource Guard. To assign the **Reader** role on the Resource Guard:
148
148
149
-
1. In the Resource Guard created above, go to the **Access Control (IAM)**blade, and then go to **Add role assignment**.
149
+
1. In the Resource Guard created above, go to the **Access Control (IAM)**pane, and then go to **Add role assignment**.
@@ -335,9 +335,9 @@ Once the Backup admin raises a request for activating the **Backup MUA Operator*
335
335
1. The Backup admin is informed by email (or other organizational alerting mechanisms) that their request is now approved.
336
336
1. Once approved, the Backup admin can perform protected operations for the requested period.
337
337
338
-
## Performing a protected operation after approval
338
+
## Perform a protected operation after approval
339
339
340
-
Once the Backup admin’s request for the **Backup MUA Operator** role on the Resource Guard is approved, they can perform protected operations on the associated vault. If the Resource Guard is in another directory, the Backup admin would need to authenticate themselves.
340
+
After the Backup admin’s request for the **Backup MUA Operator** role on the Resource Guard is approved, they can perform protected operations on the associated vault. If the Resource Guard is in another directory, the Backup admin would need to authenticate themselves.
341
341
342
342
>[!NOTE]
343
343
> If the access was assigned using a JIT mechanism, the **Backup MUA Operator** role is retracted at the end of the approved period. Else, the Security admin manually removes the **Backup MUA Operator** role assigned to the Backup admin to perform the critical operation.
@@ -412,19 +412,19 @@ The tenant ID is required if the resource guard exists in a different tenant.
412
412
413
413
::: zone pivot="vaults-backup-vault"
414
414
415
-
This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Backup vault.
416
-
417
-
This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup.
415
+
This article describes how to configure Multi-User Authorization (MUA) for Azure Backup to enhance the security of critical operations on Backup vaults. It covers the creation of a Resource Guard in a separate tenant for maximum protection and demonstrates how to request and approve critical operation access using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) within the tenant hosting the Resource Guard. Alternatively, you can use other methods to manage just-in-time (JIT) permissions based on your organizational setup.
418
416
419
417
>[!NOTE]
420
418
>- Multi-user authorization using Resource Guard for Backup vault is now generally available.
421
419
>- Multi-user authorization for Azure Backup is available in all public Azure regions.
422
420
423
-
## Before you start
421
+
## Prerequisites
422
+
423
+
Before you configure Multi-user authorization for a Backup vault, ensure that the following prerequisites are met:
424
424
425
-
-Ensure the Resource Guard and the Backup vault are in the same Azure region.
426
-
-Ensure the Backup admin does**not** have **Contributor**, **Backup MUA Admin**, or **Backup MUA Operator** permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
427
-
-Ensure that your subscriptions contain the Backup vault as well as the Resource Guard (in different subscriptions or tenants) are registered to use the provider - **Microsoft.DataProtection**4. For more information, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
425
+
-The Resource Guard and the Backup vault must be in the same Azure region.
426
+
-The Backup admin must**not** have **Contributor**, **Backup MUA Admin**, or **Backup MUA Operator** permissions on the Resource Guard. You can choose to have the Resource Guard in another subscription of the same directory or in another directory to ensure maximum isolation.
427
+
-The subscriptions contain the Backup vault as well as the Resource Guard (in different subscriptions or tenants) must be registered to use the provider - **Microsoft.DataProtection**4. For more information, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider-1).
428
428
429
429
Learn about various [MUA usage scenarios](./multi-user-authorization-concept.md?tabs=backup-vault#usage-scenarios).
430
430
@@ -445,7 +445,7 @@ To create the Resource Guard in a tenant different from the vault tenant as a Se
1. In the Create blade, fill in the required details for this Resource Guard.
448
+
1. In the Create pane, fill in the required details for this Resource Guard.
449
449
- Ensure that the Resource Guard is in the same Azure region as the Backup vault.
450
450
- Add a description on how to request access to perform actions on associated vaults when needed. This description appears in the associated vaults to guide the Backup admin on how to get the required permissions.
451
451
@@ -482,7 +482,7 @@ The Backup admin must have **Reader** role on the Resource Guard or subscription
482
482
483
483
To assign the **Reader** role on the Resource Guard, follow these steps:
484
484
485
-
1. In the Resource Guard created above, go to the **Access Control (IAM)**blade, and then go to **Add role assignment**.
485
+
1. In the Resource Guard created above, go to the **Access Control (IAM)**pane, and then go to **Add role assignment**.
486
486
487
487
:::image type="content" source="./media/multi-user-authorization/demo-resource-guard-access-control.png" alt-text="Screenshot showing demo resource guard-access control for Backup vault.":::
0 commit comments