- MUA works in conjunction with Azure Resource Guard to add an extra layer of authorization.
- Multi-User Authorization (MUA) enhances security for Azure Backup vaults in a similar way to how MUA currently works with Recovery Services vaults.
- Resource Guard and vault can be placed in different tenants for maximum protection.
Microsoft has released a new security feature, Multi-User Authorization (MUA), for Azure Backup vaults. Azure Backup is a cloud-based service that allows users to perform backup and restore data, from various Azure services and on-premises Windows Server, in the Azure cloud.
MUA enhances protection by providing an additional layer of security, a Resource Guard, to which the user must also have sufficient rights on to change a critical Azure Backup setting. MUA for Azure Backup provides authorization in a similar way to how MUA currently works for Azure Recovery Services vaults. Adding this extra layer of protection to backups is designed to further help organizations defend themselves against ransomware.
Azure Backup leverages Resource Guard to ensure only authorized users perform critical operations. A critical operation is an action that could potentially affect the integrity, availability, and security of the backed-up data. These include disabling soft delete, disabling MUA protection, modifying backup policy, modifying protection, stopping protection with delete data, as well as changing Microsoft Azure Recovery Services (MARS) agent security PIN.
When Resource Guard is configured to provide additional protection for an Azure Backup vault, the owner of the Resource Guard must approve any requests to change critical backup settings.
“This requires action from the owner of the resource guard to approve and grant the required access. You can also use Azure Active Directory (AAD) Privileged Identity Management (PIM) to manage just-in-time access (JiT) on the resource guard. Additionally, you can create the resource guard in a subscription or a tenant different from the one that has the recovery services vault, to achieve maximum isolation,” Microsoft explained.
To get started with Multi-User Authorization, Microsoft recommends that customers will need to ensure that the Backup vault and Resource Guard exist in the same Azure region. Moreover, the vault admin shouldn’t have Contributor rights on the Resource Guard. IT Pros can choose to place the Resource Guard in a different subscription from the vault that’s being secured for maximum protection.
Microsoft also advises administrators to ensure that their subscriptions use the same Microsoft.DataProtection4 provider class. We invite you to check out this support document to learn more about configuring and using Multi-User Authorization for Backup vaults.