Overview
Azure Backup provides unified backup solutions for Azure and on-premises workloads. Recovery Services Vault (RSV) is the central management plane for backup policies, recovery points, and restore operations across VMs, databases, files, and on-premises servers.
Who Should Use This Guide:
- Cloud engineers implementing backup strategies
- IT administrators protecting Azure workloads
- Disaster recovery specialists designing BCDR solutions
- Compliance officers meeting data protection requirements
Azure Backup Capabilities:
| Workload | Backup Method | Recovery Options |
|---|---|---|
| Azure VMs | Snapshot + vault | Full VM, disk, file-level |
| Azure Files | Snapshot | Share, folder, file level |
| SQL in Azure VM | VSS-aware backup | Point-in-time, log backup |
| On-premises VMs | MARS agent | File/folder, system state |
| Azure Disks | Incremental snapshot | Full disk restore |
| Azure Blobs | Operational backup | Point-in-time restore |
Backup Tiers:
| Tier | Recovery Time | Cost | Use Case |
|---|---|---|---|
| Snapshot (Instant Restore) | Minutes | Higher | Fast recovery |
| Vault-Standard | Hours | Medium | Standard DR |
| Vault-Archive | Hours-Days | Lower | Long-term retention |
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ Azure Backup Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Workloads Recovery Services Vault │
│ ┌────────────────┐ ┌─────────────────────────────┐ │
│ │ Azure VMs │ │ │ │
│ │ ┌────────────┐ │ Backup │ ┌─────────────────────┐ │ │
│ │ │ VM Snapshot│─┼───────────────▶│ │ Vault Storage │ │ │
│ │ └────────────┘ │ │ │ (GRS/LRS/ZRS) │ │ │
│ └────────────────┘ │ └─────────────────────┘ │ │
│ │ │ │
│ ┌────────────────┐ │ ┌─────────────────────┐ │ │
│ │ Azure Files │ Backup │ │ Backup Policies │ │ │
│ │ ┌────────────┐ │───────────────▶│ │ - Daily/Weekly │ │ │
│ │ │ Snapshots │ │ │ │ - Retention │ │ │
│ │ └────────────┘ │ │ └─────────────────────┘ │ │
│ └────────────────┘ │ │ │
│ │ ┌─────────────────────┐ │ │
│ ┌────────────────┐ │ │ Cross-Region │ │ │
│ │ SQL Server │ Backup │ │ Restore (CRR) │ │ │
│ │ ┌────────────┐ │───────────────▶│ │ Secondary Region │ │ │
│ │ │ Log/Full │ │ │ └─────────────────────┘ │ │
│ │ └────────────┘ │ │ │ │
│ └────────────────┘ └─────────────────────────────┘ │
│ │
│ ┌────────────────┐ │
│ │ On-Premises │ MARS Agent │
│ │ ┌────────────┐ │───────────────▶ To Azure │
│ │ │ Windows │ │ │
│ │ │ Servers │ │ │
│ │ └────────────┘ │ │
│ └────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘Step 1: Create Recovery Services Vault
Create Vault via Azure CLI
# Variables
RESOURCE_GROUP="backup-rg"
LOCATION="eastus"
VAULT_NAME="rsv-corp-backup-prod"
# Create resource group
az group create --name $RESOURCE_GROUP --location $LOCATION
# Create Recovery Services Vault
az backup vault create \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--location $LOCATION
# Configure storage redundancy (GRS recommended for DR)
az backup vault backup-properties set \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--backup-storage-redundancy GeoRedundant
# Enable Cross-Region Restore
az backup vault backup-properties set \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--cross-region-restore-flag EnabledCreate Vault via PowerShell
# Variables
$ResourceGroup = "backup-rg"
$Location = "eastus"
$VaultName = "rsv-corp-backup-prod"
# Create resource group
New-AzResourceGroup -Name $ResourceGroup -Location $Location
# Create Recovery Services Vault
New-AzRecoveryServicesVault `
-ResourceGroupName $ResourceGroup `
-Name $VaultName `
-Location $Location
# Get vault context
$vault = Get-AzRecoveryServicesVault -Name $VaultName -ResourceGroupName $ResourceGroup
# Set storage redundancy to GRS
Set-AzRecoveryServicesBackupProperty `
-Vault $vault `
-BackupStorageRedundancy GeoRedundant
# Enable Cross-Region Restore
Set-AzRecoveryServicesBackupProperty `
-Vault $vault `
-CrossRegionRestore EnableStorage Redundancy Options
| Option | Copies | Regions | Use Case |
|---|---|---|---|
| LRS | 3 | 1 | Dev/test, cost-sensitive |
| ZRS | 3 | 1 (3 zones) | Zone resilience |
| GRS | 6 | 2 | Production DR |
| GZRS | 6 | 2 (source zoned) | Highest availability |
Step 2: Configure Azure VM Backup
Create Backup Policy
# Create policy JSON
cat > vm-backup-policy.json << 'EOF'
{
"eTag": null,
"properties": {
"backupManagementType": "AzureIaasVM",
"instantRpRetentionRangeInDays": 5,
"schedulePolicy": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunTimes": ["2026-02-03T02:00:00Z"],
"scheduleWeeklyFrequency": 0
},
"retentionPolicy": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionTimes": ["2026-02-03T02:00:00Z"],
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
},
"weeklySchedule": {
"daysOfTheWeek": ["Sunday"],
"retentionTimes": ["2026-02-03T02:00:00Z"],
"retentionDuration": {
"count": 12,
"durationType": "Weeks"
}
},
"monthlySchedule": {
"retentionScheduleFormatType": "Weekly",
"retentionScheduleWeekly": {
"daysOfTheWeek": ["Sunday"],
"weeksOfTheMonth": ["First"]
},
"retentionTimes": ["2026-02-03T02:00:00Z"],
"retentionDuration": {
"count": 12,
"durationType": "Months"
}
}
},
"timeZone": "Eastern Standard Time"
}
}
EOF
# Create policy
az backup policy create \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--name "DailyVMBackup" \
--policy vm-backup-policy.json \
--backup-management-type AzureIaasVMEnable VM Backup
# Enable backup for a VM
az backup protection enable-for-vm \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--vm "vm-web-prod-01" \
--policy-name "DailyVMBackup"
# Enable backup for multiple VMs
VMS="vm-web-prod-01 vm-app-prod-01 vm-db-prod-01"
for VM in $VMS; do
az backup protection enable-for-vm \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--vm $VM \
--policy-name "DailyVMBackup"
doneRun On-Demand Backup
# Trigger immediate backup
az backup protection backup-now \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "IaasVMContainer;iaasvmcontainerv2;$RESOURCE_GROUP;vm-web-prod-01" \
--item-name "VM;iaasvmcontainerv2;$RESOURCE_GROUP;vm-web-prod-01" \
--retain-until "2026-03-03"Step 3: Configure Azure Files Backup
Create Azure Files Backup Policy
# Create file share backup policy
az backup policy create \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--name "DailyFileShareBackup" \
--backup-management-type AzureStorage \
--workload-type AzureFileShare \
--policy '{
"schedulePolicy": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunTimes": ["2026-02-03T01:00:00Z"]
},
"retentionPolicy": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
}
}
}'Enable File Share Backup
# Variables
STORAGE_ACCOUNT="stprodfiles001"
FILE_SHARE="shared-documents"
# Register storage account with vault
az backup container register \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--backup-management-type AzureStorage \
--storage-account $STORAGE_ACCOUNT
# Enable backup for file share
az backup protection enable-for-azurefileshare \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--storage-account $STORAGE_ACCOUNT \
--azure-file-share $FILE_SHARE \
--policy-name "DailyFileShareBackup"Restore File Share
# List recovery points
az backup recoverypoint list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "StorageContainer;Storage;$RESOURCE_GROUP;$STORAGE_ACCOUNT" \
--item-name "AzureFileShare;$FILE_SHARE" \
--query "[].{name:name,time:properties.recoveryPointTime}"
# Full share restore to alternate location
az backup restore restore-azurefileshare \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--rp-name "<recovery-point-name>" \
--container-name "StorageContainer;Storage;$RESOURCE_GROUP;$STORAGE_ACCOUNT" \
--item-name "AzureFileShare;$FILE_SHARE" \
--restore-mode AlternateLocation \
--target-storage-account "stprodfiles002" \
--target-file-share "restored-share" \
--target-folder "restore-2026-02-03"Step 4: Configure SQL Server Backup
Register SQL Server VM
# Register SQL VM with backup
az backup container register \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--backup-management-type AzureWorkload \
--workload-type MSSQL \
--resource-id "/subscriptions/<sub-id>/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/vm-sql-prod-01"Create SQL Backup Policy
# Full backup weekly, differential daily, log backup every 15 min
cat > sql-backup-policy.json << 'EOF'
{
"properties": {
"backupManagementType": "AzureWorkload",
"workLoadType": "SQLDataBase",
"settings": {
"timeZone": "Eastern Standard Time",
"issqlcompression": true
},
"subProtectionPolicy": [
{
"policyType": "Full",
"schedulePolicy": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Weekly",
"scheduleRunDays": ["Sunday"],
"scheduleRunTimes": ["2026-02-03T02:00:00Z"]
},
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
}
},
{
"policyType": "Differential",
"schedulePolicy": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Weekly",
"scheduleRunDays": ["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],
"scheduleRunTimes": ["2026-02-03T02:00:00Z"]
},
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
}
},
{
"policyType": "Log",
"schedulePolicy": {
"schedulePolicyType": "LogSchedulePolicy",
"scheduleFrequencyInMins": 15
},
"retentionPolicy": {
"retentionPolicyType": "SimpleRetentionPolicy",
"retentionDuration": {
"count": 15,
"durationType": "Days"
}
}
}
]
}
}
EOF
az backup policy create \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--name "SQLDatabaseBackup" \
--backup-management-type AzureWorkload \
--workload-type MSSQL \
--policy sql-backup-policy.jsonEnable Database Backup
# Discover databases on SQL VM
az backup protectable-item list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--workload-type MSSQL \
--query "[].{name:name,protectionState:properties.protectionState}"
# Enable backup for specific database
az backup protection enable-for-azurewl \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--policy-name "SQLDatabaseBackup" \
--protectable-item-name "sqldatabase;mssqlserver;ProductionDB" \
--protectable-item-type SQLDataBase \
--server-name "vm-sql-prod-01" \
--workload-type MSSQLPoint-in-Time Recovery
# List recovery points with logs
az backup recoverypoint list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "VMAppContainer;Compute;$RESOURCE_GROUP;vm-sql-prod-01" \
--item-name "sqldatabase;mssqlserver;ProductionDB" \
--workload-type MSSQL
# Restore to point in time
az backup restore restore-azurewl \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--recovery-config recovery-config.jsonStep 5: Configure MARS Agent (On-Premises)
Download and Install MARS Agent
# Download MARS agent
$downloadUrl = "https://aka.ms/azurebackup_agent"
$installerPath = "$env:TEMP\MARSAgentInstaller.exe"
Invoke-WebRequest -Uri $downloadUrl -OutFile $installerPath
# Install silently
Start-Process -FilePath $installerPath -ArgumentList "/q" -Wait
# Download vault credentials from Azure Portal
# Portal > Recovery Services Vault > Settings > Properties > Backup CredentialsRegister Server with Vault
# Import MARS module
Import-Module "C:\Program Files\Microsoft Azure Recovery Services Agent\bin\Modules\MSOnlineBackup"
# Set vault credentials
$credPath = "C:\Downloads\vault-creds.VaultCredentials"
Start-OBRegistration -VaultCredentials $credPath
# Set encryption passphrase (SAVE THIS!)
$passphrase = ConvertTo-SecureString -String "YourSecurePassphrase123!" -AsPlainText -Force
Set-OBMachineSetting -EncryptionPassphrase $passphraseConfigure Backup Schedule
# Create new backup policy
$policy = New-OBPolicy
# Set backup schedule (daily at 9 PM and 2 AM)
$schedule = New-OBSchedule -DaysOfWeek Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday -TimesOfDay "21:00","02:00"
Set-OBSchedule -Policy $policy -Schedule $schedule
# Set retention (30 days daily, 12 weeks weekly, 12 months monthly)
$retention = New-OBRetentionPolicy -RetentionDays 30
Set-OBRetentionPolicy -Policy $policy -RetentionPolicy $retention
# Add items to backup
$inclusions = @(
"C:\Users",
"C:\Data",
"D:\Databases"
)
$exclusions = @(
"C:\Windows",
"C:\Program Files"
)
Add-OBFileSpec -Policy $policy -FileSpec (New-OBFileSpec -FileSpec $inclusions)
Add-OBFileSpec -Policy $policy -FileSpec (New-OBFileSpec -FileSpec $exclusions -NonRecursive -Exclude)
# Apply policy
Set-OBPolicy -Policy $policy -Confirm:$false
# Run backup immediately
Start-OBBackup -Policy $policySystem State Backup
# Enable System State backup
$policy = Get-OBPolicy
Enable-OBSystemStateBackup -Policy $policy
Set-OBPolicy -Policy $policyStep 6: Cross-Region Restore
Enable Cross-Region Restore
# Verify CRR is enabled
az backup vault backup-properties show \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--query "crossRegionRestoreFlag"
# If not enabled:
az backup vault backup-properties set \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--cross-region-restore-flag EnabledPerform Cross-Region Restore
# List backup items in secondary region
az backup item list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--backup-management-type AzureIaasVM \
--use-secondary-region true
# List recovery points in secondary region
az backup recoverypoint list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "<container-name>" \
--item-name "<item-name>" \
--use-secondary-region true
# Restore VM to secondary region
az backup restore restore-disks \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "<container-name>" \
--item-name "<item-name>" \
--rp-name "<recovery-point>" \
--storage-account "strecoverywestus" \
--target-resource-group "recovery-rg-westus" \
--use-secondary-region trueStep 7: Monitor and Alert
Configure Backup Alerts
# Create action group for alerts
az monitor action-group create \
--resource-group $RESOURCE_GROUP \
--name "BackupAlerts" \
--short-name "BackupAlt" \
--email-receiver name="IT-Team" email-address="it-team@company.com"
# Create alert for backup failures
az monitor metrics alert create \
--resource-group $RESOURCE_GROUP \
--name "BackupFailureAlert" \
--scopes "/subscriptions/<sub-id>/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.RecoveryServices/vaults/$VAULT_NAME" \
--condition "count BackupHealthEvent where HealthStatus includes Failed > 0" \
--action "BackupAlerts" \
--severity 2View Backup Jobs
# List recent backup jobs
az backup job list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--query "[?properties.status!='Completed'].{name:name,status:properties.status,operation:properties.operation}" \
--output table
# Get job details
az backup job show \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--name "<job-id>"Azure Monitor Workbook
Create a backup monitoring workbook:
{
"version": "Notebook/1.0",
"items": [
{
"type": "query",
"name": "Backup Job Summary",
"query": "AzureDiagnostics\n| where Category == \"AzureBackupReport\"\n| where OperationName == \"BackupJob\"\n| summarize Count=count() by JobStatus, bin(TimeGenerated, 1d)"
},
{
"type": "query",
"name": "Failed Backups Last 7 Days",
"query": "AzureDiagnostics\n| where Category == \"AzureBackupReport\"\n| where OperationName == \"BackupJob\"\n| where JobStatus == \"Failed\"\n| where TimeGenerated > ago(7d)\n| project TimeGenerated, Resource, BackupItemUniqueId, JobFailureCode"
}
]
}Step 8: Backup Reports
Enable Backup Reports (Diagnostic Settings)
# Create Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group $RESOURCE_GROUP \
--workspace-name "law-backup-reports"
WORKSPACE_ID=$(az monitor log-analytics workspace show \
--resource-group $RESOURCE_GROUP \
--workspace-name "law-backup-reports" \
--query id -o tsv)
# Enable diagnostics on vault
az monitor diagnostic-settings create \
--resource "/subscriptions/<sub-id>/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.RecoveryServices/vaults/$VAULT_NAME" \
--name "BackupReports" \
--workspace $WORKSPACE_ID \
--logs '[
{"category": "AzureBackupReport", "enabled": true},
{"category": "CoreAzureBackup", "enabled": true},
{"category": "AddonAzureBackupJobs", "enabled": true},
{"category": "AddonAzureBackupAlerts", "enabled": true},
{"category": "AddonAzureBackupPolicy", "enabled": true},
{"category": "AddonAzureBackupStorage", "enabled": true},
{"category": "AddonAzureBackupProtectedInstance", "enabled": true}
]'Access Backup Center Reports
- Navigate to Azure Portal → Backup Center
- Select Backup Reports
- Configure workspace
- View:
- Backup Items
- Backup Jobs
- Policy Adherence
- Optimization Opportunities
Troubleshooting
Common Issues
| Symptom | Possible Cause | Solution |
|---|---|---|
| VM backup failed | VM agent not running | Reinstall/update VM agent |
| SQL backup failed | SQL service not discovered | Re-register container |
| MARS sync failed | Passphrase mismatch | Use correct passphrase |
| Restore failed | Insufficient permissions | Check RBAC assignments |
| Cross-region restore unavailable | CRR not enabled | Enable CRR on vault |
Diagnostic Commands
# Check protected item status
az backup item show \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--container-name "<container>" \
--name "<item>"
# View backup job logs
az backup job list \
--resource-group $RESOURCE_GROUP \
--vault-name $VAULT_NAME \
--status Failed \
--query "[].{name:name,operation:properties.operation,errorDetails:properties.errorDetails}"
# Verify VM agent status (on VM)
Get-Service -Name RdAgent, WindowsAzureGuestAgentMARS Agent Troubleshooting
# Check agent status
Get-OBMachineSettingHealth
# View backup jobs
Get-OBJob -Previous 10
# Clear cache and retry
Stop-Service -Name "Microsoft Azure Recovery Services Agent"
Remove-Item "C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch\*" -Recurse
Start-Service -Name "Microsoft Azure Recovery Services Agent"Security Best Practices
Enable Soft Delete
# Enable soft delete (14-day retention of deleted backups)
az backup vault backup-properties set \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--soft-delete-feature-state EnableEnable Multi-User Authorization
# Require additional authorization for critical operations
az backup vault backup-properties set \
--resource-group $RESOURCE_GROUP \
--name $VAULT_NAME \
--multi-user-authorization EnableRestrict Vault Access
# Create RBAC role for backup operators
az role assignment create \
--role "Backup Operator" \
--assignee "backup-team@company.com" \
--scope "/subscriptions/<sub-id>/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.RecoveryServices/vaults/$VAULT_NAME"Verification Checklist
Vault Configuration:
- Recovery Services Vault created
- Storage redundancy configured (GRS for production)
- Cross-Region Restore enabled
- Soft delete enabled
Workload Protection:
- Azure VMs protected with backup policy
- Azure Files shares backed up
- SQL databases protected with log backup
- On-premises servers registered (MARS)
Testing:
- Test restore completed for each workload type
- Cross-region restore tested
- File-level recovery tested
- Recovery time meets RTO requirements
Operations:
- Alerts configured for backup failures
- Diagnostic logging enabled
- Backup reports accessible
- Team trained on restore procedures
Next Steps
After configuring Azure Backup:
- Implement Azure Site Recovery - VM replication for DR
- Configure Azure Policy - Enforce backup on all VMs
- Set Up Cost Management - Monitor backup storage costs
- Create Runbooks - Automate backup operations
References
- Azure Backup Documentation
- Recovery Services Vault
- VM Backup Architecture
- MARS Agent Guide
- Cross-Region Restore
Last Updated: February 2026