Cloud Computing

Azure Backup Protects Against Deliberate Attacks


Microsoft’s cloud backup solution, Azure Backup, has added new protections to defend your data against deliberate attacks. This post will explain what this means for you.


A report on the subject of “ransomware” and businesses that was published earlier this year by Symantec makes for very sobering reading. Malware, such as CryptoLocker, that attacks a business by scanning for data on the network, encrypting it, and demanding a bitcoin ransom to decrypt the data, is becoming more common. Ransoms are increasing, and terms such as ransomware-as-a-service have been coined to describe these professional attacks that are orchestrated by criminal organizations. The success of these forms of attacks has inspire other attackers, greedy for a slice of the pie; kits are available to build your own ransomware!

Ransomware attacks were once entirely random, but targeted attacks are become more common. That’s a worry because it implies that an attack will be better planned to defeat defenses. One approach to protecting yourself against a crypto attack is to restore your files from backup. That can be an expensive (human effort and downtime) solution but that might be better than paying an attacker — I have heard stories of a decryption failing and the attackers requiring a second ransom!

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts on our website.

What if the attacker also prevented access to your backup? Maybe they deleted your backups? Azure Backup has implemented new security mechanisms to protect your backup data from these deliberate kinds of attacks.

New Azure Backup Security Features

There are 4 features that have been added to protect your backup data:

  • Retention of deleted data: Your data will be retained by the recovery services vault for 14 days after you delete it. This means that even if some ransomware manages to delete your backups, you can still restore your data.
  • Minimum retention range checks: Maybe you need to go further back in time to before the infection. This feature ensures that you can restore from more than just 1 recovery point.
  • Alerts and notifications: You will be alerted in the event of a backup schedule being stopped or backup data being deleted. You’ll know that an attack is underway if no human initiated this action.
  • Multiple layers of security: You can require a PIN to be entered to perform certain actions. For example, if I attempt to stop a scheduled backup and delete all of the data from a MARS agent, I will be prompted to enter the PIN.

Enabling Azure Backup Security Features

If you have an existing Azure recovery services vault, then you can navigate to Properties in the vault to enable the new security features. Note the option where you can configure a PIN for sensitive actions.

 The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]

The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]
Click Update under Security Settings to open a Security Settings blade. Here you can:

  • Specify if you have enabled multi-factor authentication (MFA) in Azure AD. Your options are Yes, No, and I Will Configure It Later. MFA will introduce two-factor authentication to allow Azure to verify that any instructions really do come from an administrator.
  • Enable the security settings of Azure Backup. Note that you cannot undo this action.


The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]
The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]

Please note that to use these security features, you must have up-to-date on-premises software:

  • The latest version of the MARS agent
  • Azure Backup Server with Upgrade 1

System Center Data Protection Manager (DPM) does not support these features yet.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: