Merge pull request #257576 from AbhishekMallick-MS/Nov-2-2023-MARS

Save passphrase in Key Vault GA

Author: prmerger-automator[bot]

articles/backup/backup-azure-manage-mars.md

@@ -3,7 +3,7 @@ title: Manage and monitor MARS Agent backups
 description: Learn how to manage and monitor Microsoft Azure Recovery Services (MARS) Agent backups by using the Azure Backup service.
 ms.reviewer: srinathv
 ms.topic: how-to
-ms.date: 12/28/2022
+ms.date: 11/07/2023
 ms.service: backup
 ms.custom: engagement-fy23
 author: AbhishekMallick-MS
@@ -21,7 +21,7 @@ When you modify backup policy, you can add new items, remove existing items from
 - **Remove Items** use this option to remove items from being backed up.
   - Use **Exclusion Settings** for removing all items within a volume instead of **Remove Items**.
   - Clearing all selections in a volume causes old backups of the items, to be retained according to retention settings at the time of the last backup, without scope for modification.
-  - Reselecting these items, leads to a first full-backup and new policy changes aren't applied to old backups.
+  - By reselecting these items, lead to a first full-backup and new policy changes aren't applied to old backups.
   - Unselecting entire volume retains past backup without any scope for modifying retention policy.
 - **Exclusion Settings** use this option to exclude specific items from being backed up.
 
@@ -84,7 +84,7 @@ You can add exclusion rules to skip files and folders that you don't want to be
 
 ## Stop protecting Files and Folder backup
 
-There are two ways to stop protecting Files and Folders backup:
+There are three ways to stop protecting Files and Folders backup:
 
 - **Stop protection and retain backup data**.
   - This option will stop all future backup jobs from protection.
@@ -94,6 +94,12 @@ There are two ways to stop protecting Files and Folders backup:
 - **Stop protection and delete backup data**.
   - This option will stop all future backup jobs from protecting your data. If the vault security features are not enabled, all recovery points are immediately deleted.<br>If the security features are enabled, the deletion is delayed by 14 days, and you'll receive an alert email with a message: *Your data for this Backup item has been deleted. This data will be temporarily available for 14 days, after which it will be permanently deleted* and a recommended action *Reprotect the Backup item within 14 days to recover your data.*<br>In this state, the retention policy continues to apply, and the backup data remains billable. [Learn more](backup-azure-security-feature.md#enable-security-features) on how to enable vault security features.
   - To resume protection, reprotect the server within 14 days from the delete operation. In this duration, you can also restore the data to an alternate server.
+- **Stop protection and retain data by policy**.
+  - This option stops future backup jobs from protection.
+  - Azure Backup service will prune recovery points as per the policy configured.
+  - You can restore the backed-up data from existing recovery points.
+  -  To resume protection, use the **Re-enable backup schedule** option. After that, data will be retained based on the new retention policy.
+  - If all recovery points expire before reenabling backup, you need to do a full initial backup of the data source.
 
 ### Stop protection and retain backup data
 
@@ -134,6 +140,26 @@ There are two ways to stop protecting Files and Folders backup:
 
 After you delete the on-premises backup items, follow the next steps from the portal.
 
+
+
+
+### Stop protection and retain backup data by policy
+
+Follow these steps:
+
+1. Open the *MARS management* console, go to the **Actions** pane, and then select **Schedule Backup**.
+2. On the **Select Policy Item** page, select **Modify a backup schedule for your files and folders** > **Next**.
+3. On the **Modify or Stop a Scheduled Backup** page, select **Stop using this backup schedule, and enable RP pruning as per policy** > **Next**.
+4. On **Pause Scheduled Backup**, review the information and select **Finish**.
+5. On **Modify backup progress**, check if your schedule backup pause is in *Success* status, and select **Close** to finish.
+
+>[!Note]
+>This feature is supported from MARS *2.0.9262.0* or later.
+
+
+
+
+
 ## Re-enable protection
 
 If you stopped protection while retaining data and decided to resume protection, then you can re-enable the backup schedule using modify backup policy.

articles/backup/backup-azure-security-feature.md

@@ -79,7 +79,12 @@ Checks have been added to make sure only valid users can perform various operati
 
 ### Authentication to perform critical operations
 
-As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform **Stop Protection with Delete data** and **Change Passphrase** operations.
+As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform **Stop Protection with Delete data** and **Change Passphrase** operations for DPM, MABS, and MARS.
+
+Additionally, with MARS version *2.0.9262.0* and later, the operations to remove a volume from MARS file/folder backup, add a new exclusion setting for an existing volume, reduce retention duration, and move to a less-frequent backup schedule are also protected with a security pin for additional security.
+
+
+
 
 > [!NOTE]
 > Currently, for the following DPM and MABS versions, security PIN is supported for **Stop Protection with Delete data** to online storage:
@@ -141,9 +146,9 @@ The following table lists the disallowed operations for MARS when immutability i
 | Disallowed operation | Result with latest MARS agent | Result with old MARS agent |
 | --- | --- | --- |
 | **Stop protection with delete data for system state** | Error 810001 <br><br> User trying to delete backup item or stop protection with delete data where backup item has valid (unexpired) recovery point. | Error 130001 <br><br> Microsoft Azure Backup encountered an internal error. |
-| **Stop protection with delete data for file/folder** | Error 810001 <br><br> User trying to delete backup item or stop protection with delete data where backup item has valid (unexpired) recovery point. | Error 130001 <br><br> Microsoft Azure Backup encountered an internal error. |
+| **Stop protection with delete data** | Error 810001 <br><br> User trying to delete backup item or stop protection with delete data where backup item has valid (unexpired) recovery point. | Error 130001 <br><br> Microsoft Azure Backup encountered an internal error.    <br><br>    MARS *2.0.9262.0* and later provide the option of stopping protection and retaining recovery points according to the policy in the console. |
 | **Reduce online retention period** | User trying to modify policy or protection with reduction of retention. | 130001 <br><br> Microsoft Azure Backup encountered an internal error. |
-| **Remove-OBPolicy with -DeleteBackup flag** | 810001 <br><br> User trying to delete backup item or stop protection with delete data where backup item has valid (unexpired) recovery point. <br><br> Use *–EnablePruning* flag to retain backups up to their retention period. | 130001 <br><br> Microsoft Azure Backup encountered an internal error. <br><br> Don't use the *-DeleteBackup* flag. |
+| **Remove-OBPolicy with -DeleteBackup flag** | 810001 <br><br> User trying to delete backup item or stop protection with delete data where backup item has valid (unexpired) recovery point. <br><br> Use *–EnablePruning* flag to retain backups up to their retention period. | 130001 <br><br> Microsoft Azure Backup encountered an internal error. <br><br> Don't use the *-DeleteBackup* flag.     <br><br>  MARS *2.0.9262.0*  and later provide the option of stopping protection and retaining recovery points according to the policy in the console. |
 
 
 ## Next steps

articles/backup/install-mars-agent.md

@@ -2,7 +2,7 @@
 title: Install the Microsoft Azure Recovery Services (MARS) agent
 description: Learn how to install the Microsoft Azure Recovery Services (MARS) agent to back up Windows machines.
 ms.topic: how-to
-ms.date: 08/18/2023
+ms.date: 11/07/2023
 ms.service: backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -62,7 +62,7 @@ To modify the storage replication type:
 > You can't modify the storage replication type after the vault is set up and contains backup items. If you want to do this, you need to re-create the vault.
 >
 
-## Configure Recovery Services vault to save passphrase to Recovery Services vault (preview)
+## Configure Recovery Services vault to save passphrase to Recovery Services vault
 
 Azure Backup using the Recovery Services agent (MARS) allows you to back up file or folder and system state data to Azure Recovery Services vault. This data is encrypted using a passphrase provided during the installation and registration of the MARS agent. This passphrase is required to retrieve and restore the backup data and needs to be saved in a secure external location, such as Azure Key Vault.
 
@@ -130,7 +130,7 @@ If you've already installed the agent on any machines, ensure you're running the
 
    After granting the required permissions, you can save the passphrase to the Key Vault by copying the *Key Vault URI* from the Azure portal and to the Register Server Wizard.
 
-   :::image type="content" source="./media/backup-configure-vault/encryption-settings-passphrase-to-encrypt-decrypt-backups.png" alt-text="Screenshot showing to specify a passphrase to be used to encrypt and decrypt backups for machines.":::
+   
 
 1. Select **Finish**. The agent is now installed, and your machine is registered to the vault. You're ready to configure and schedule your backup.
 

articles/backup/save-backup-passphrase-securely-in-azure-key-vault.md

@@ -1,16 +1,16 @@
 ---
-title: Save and manage MARS agent passphrase securely in Azure Key Vault (preview)
+title: Save and manage MARS agent passphrase securely in Azure Key Vault
 description: Learn how to save MARS agent passphrase securely in Azure Key Vault and retrieve them during restore.
 ms.topic: how-to
-ms.date: 08/18/2023
+ms.date: 11/07/2023
 ms.reviewer: sooryar
 ms.service: backup
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
 ---
 
-# Save and manage MARS agent passphrase securely in Azure Key Vault (preview)
+# Save and manage MARS agent passphrase securely in Azure Key Vault
 
 Azure Backup using the Recovery Services agent (MARS) allows you back up files/folders and system state data to Azure Recovery Services vault. This data is encrypted using a passphrase you provide during the installation and registration of the MARS agent. This passphrase is required to retrieve and restore the backup data and needs to be saved in a secure external location.
 
@@ -26,7 +26,7 @@ Now, you can save your encryption passphrase securely in Azure Key Vault as a Se
 -	You should use a single Azure Key Vault to store all your passphrases. [Create a Key Vault](../key-vault/general/quick-create-portal.md) in case you don't have one.
   - [Azure Key Vault pricing](https://azure.microsoft.com/pricing/details/key-vault/) is applicable when you create a new Azure Key Vault to store your passphrase.
   - After you create the Key Vault, to protect against accidental or malicious deletion of passphrase, [ensure that soft-delete and purge protection is turned on](../key-vault/general/soft-delete-overview.md).
--	This feature is supported only in Azure public regions with MARS agent version  *2.0.9254.0* or above.
+-	This feature is supported only in Azure public regions with MARS agent version  *2.0.9262.0* or above.
 
 ## Configure the Recovery Services vault to store passphrase to Azure Key Vault
 
@@ -326,7 +326,7 @@ Before proceeding to install the MARS agent, ensure that you have  [configured t
 
 6. After providing the *Recovery Services vault credentials* during registration, in the **Encryption Setting**,  select the option to save the passphrase to Azure Key Vault.
 
-   :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/save-passphrase.png" alt-text="Screenshot shows the option to save the passphrase to Azure Key Vault to be selected." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/save-passphrase.png":::
+   
 
 7. Enter your *passphrase* or select **Generate Passphrase**.
 4. In the *Azure portal*, open your *Key Vault*, copy the *Key Vault URI*.
@@ -347,7 +347,7 @@ You can automate this process by using the new KeyVaultUri option in `Set-OBMach
 
 ## Save passphrase to Azure Key Vault for an existing MARS installation
 
-If you have an existing MARS agent installation and want to save your passphrase to Azure Key Vault, [update your agent](upgrade-mars-agent.md) to version *2.0.9254.0* or above and perform a change passphrase operation.
+If you have an existing MARS agent installation and want to save your passphrase to Azure Key Vault, [update your agent](upgrade-mars-agent.md) to version *2.0.9262.0* or above and perform a change passphrase operation.
 
 After updating your MARS agent, ensure that you have [configured the Recovery Services vault to store passphrase to Azure Key Vault](#configure-the-recovery-services-vault-to-store-passphrase-to-azure-key-vault) and you have successfully:
 
@@ -371,7 +371,7 @@ To save the passphrase to Key Vault:
    >[!Note]
    >If the machine is already configured to save passphrase to Key Vault, the Key Vault URI will be populated in the text box automatically.
 
-   :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/enter-key-vault-url.png" alt-text="Screenshot shows the option to save passphrase to Key Vault by providing a Key Vault URI gets generated." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/enter-key-vault-url.png":::
+   
 
 3. Open the *Azure portal*, open your *Key Vault*, and then *copy the Key Vault URI*.
 
@@ -450,6 +450,19 @@ This section lists commonly encountered errors when saving the passphrase to Azu
 
 :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/copy-key-vault-url.png" alt-text="Screenshot shows how to copy Kay Vault URL." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/copy-key-vault-url.png":::
 
+ 
+### UserErrorSecretExistsSoftDeleted (391282) 
+
+**Cause**: A secret in the expected format already exists in the Key Vault, but it's in a soft-deleted state. Unless the secret is restored, MARS can't save the passphrase for that machine to the provided Key Vault.
+
+**Recommended action**: Check if a secret exists in the vault with the name `AzBackup-<machine name>-<vaultname>` and if it's in a soft-deleted state. Recover the soft deleted Secret to save the passphrase to it.
+
+### UserErrorKeyVaultSoftDeleted (391283) 
+
+**Cause**: The Key Vault provided to MARS is in a soft-deleted state.
+
+**Recommended action**: Recover the Key Vault or provide a new Key Vault.
+
 ### Registration is incomplete
 
 **Cause**: You didn't complete the MARS registration by registering the passphrase. So, you'll not be able to configure backups until you register. 

articles/backup/whats-new.md

@@ -2,7 +2,7 @@
 title: What's new in Azure Backup
 description: Learn about the new features in the Azure Backup service.
 ms.topic: conceptual
-ms.date: 11/02/2023
+ms.date: 11/07/2023
 ms.service: backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -17,6 +17,8 @@ You can learn more about the new releases by bookmarking this page or by [subscr
 ## Updates summary
 
 - November 2023
+  - [Save your MARS backup passphrase securely to Azure Key Vault is now generally available.](#save-your-mars-backup-passphrase-securely-to-azure-key-vault-is-now-generally-available)
+  - [Update Rollup 1 for Microsoft Azure Backup Server v4 is now generally available](#update-rollup-1-for-microsoft-azure-backup-server-v4-is-now-generally-available)
   - [SAP HANA instance snapshot backup support is now generally available](#sap-hana-instance-snapshot-backup-support-is-now-generally-available)
 - September 2023
   - [Multi-user authorization using Resource Guard for Backup vault is now generally available](#multi-user-authorization-using-resource-guard-for-backup-vault-is-now-generally-available)
@@ -70,6 +72,24 @@ You can learn more about the new releases by bookmarking this page or by [subscr
 - February 2021
   - [Backup for Azure Blobs (in preview)](#backup-for-azure-blobs-in-preview)
 
+## Save your MARS backup passphrase securely to Azure Key Vault is now generally available.
+
+Azure Backup now allows you to save the MARS passphrase to Azure Key Vault automatically from the MARS console during registration or changing passphrase with MARS agent.
+
+The MARS agent from Azure Backup requires a passphrase that you provide to encrypt the backups sent to and stored on Azure Recovery Services vault. This passphrase isn't shared with Microsoft and needs to be saved in a secure location to ensure that the backups can be retrieved if the server backed up with MARS goes down.
+
+For more information, see [Save and manage MARS agent passphrase securely in Azure Key Vault](save-backup-passphrase-securely-in-azure-key-vault.md).
+
+## Update Rollup 1 for Microsoft Azure Backup Server v4 is now generally available
+
+Azure Backup now provides Update Rollup 1 for Microsoft Azure Backup Server (MABS) V4.
+
+- It contains new features, such as item-level recovery from online recovery points for VMware VMs, support for Windows and Basic SMTP authentication for MABS email reports and alerts, and other enhancements.
+- It also contains stability improvements and bug fixes on MABS V4.
+
+For more information, see [What's new in MABS](backup-mabs-whats-new-mabs.md).
+
+
 ## SAP HANA instance snapshot backup support is now generally available
 
 Azure Backup now supports SAP HANA instance snapshot backup and enhanced restore, which provides a cost-effective backup solution using managed disk incremental snapshots. Because instant backup uses snapshot, the effect on the database is minimum.