Increase Vault Security

Question

Increase Vault Security

MichaelB-2136 150

Hi, I’m trying to increase vault security and am trying via a few different avenues.

1 – Setting up Email Alerts.

I want to set up backup failure alerts but only appear to be able to setup alerts for PersistantDegraded which if I understand correctly is if a backup fails twice, not the initial failure notification? I’d also like to setup alerts if any suspicious activity occurs or a vault or backup is attempted to be deleted or stopped.

2 – I’ve read that you can set up passwords to be complete jobs like stopped back ups for extra protection but cannot find this.

3 – Set it so only my account can make any changes in the vault.

4 – What actually happens when I turn on Immutable Vault? If I understand correctly it can simply be turned off again until you set it to lock so would like to know what difference it makes BEFORE turning on lock?

I’m unfortunately finding that even simple requests like email alerts appear to be really overly-complicated!

Would appreciate any help on this.

Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-25T17:55:17.3266667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-26T09:51:55.0266667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
MichaelB-2136 150 Reputation points

2026-03-26T12:23:40.1966667+00:00
Hi Bharath, thank you for your detailed response as always. A few further questions:

Q1

I dont have a Log Analytics workspace currently. Is there a cost to this?

Am I able to also add email alerts for attempts to modify or delete backup data here also?

Q2

Could you further explain creating Resource Guard in another subscription/resource group?

Is there further cost to this also (creating another resource group)?

Q4

So by turning on Immutable Vault, it simply stops any modifications to any current backup policies, the ability to delete any backups prior to their expiry date, correct?

If the above is correct, I can just turn off Immutable Vault to then re-modify above?

If above is correct also, I don't really see the point of the immutability if a compromised account could simply turn it off (until it is locked) - sorry I just want to fully understand this setting before enabling it in any capacity

Furthermore, I have been looking to analyse the cost of my new vault standard backups before locking immutability however the cost of the backups does not appear to show up anywhere on Cost Analystics. I started using Vault Standard at the start of this March and but my daily costs from prior to the vault backups to now appear to be the same. How do I see the actual cost of my backups?

Finally, are there any other suggestions you have to increase the security of a vault? Thanks for your time as always.
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T10:57:32.11+00:00
Log Analytics is billed for data ingestion (GB/day) and retention beyond free tier; typical ingestion rates vary by region check your region’s pricing page for exact $/GB.

Azure Log Analytics Pricing | Microsoft Learn

Azure Monitor alerts for Backup job failures and Activity Log alerts can be created without a workspace and can send email/action groups directly; however, Log Analytics enables Backup Reports, richer workbooks, and long‑term queryable logs (useful for forensic/suspicious‑activity analysis).

Create an Activity Log alert scoped to the vault for operations like Delete/Stop and attach an Action Group that sends email. For suspicious patterns, forward logs to Sentinel or a SIEM via Log Analytics for detection.

Manage Azure Monitor based alerts for Azure Backup - Azure Backup | Microsoft Learn

Obtain insights using Backup center - Azure Backup | Azure Docs

Multi-User Authorization is free of cost by itself no additional charges for creating or using Resource Guards.

Multiuser Authorization Using Resource Guard - Azure Backup | Microsoft Learn

Resource groups themselves don't incur any cost they're just a placeholder container. So the answer is zero additional cost.

No special SKU cost for Resource Guard itself beyond normal resource metadata; creating a resource group has no charge. Only any associated resources (Log Analytics, storage) incur normal costs.

Configure Multi-user authorization using Resource Guard - Azure Backup | Microsoft Learn

The whole point of MUA is that a compromised account with Contributor access to your main subscription could, in theory, also grant themselves permissions on the Resource Guard if it's in the same subscription. Putting it in a separate subscription that your day-to-day admin account has no permissions on makes this much harder. In practice for a small environment, a different resource group in the same subscription still provides meaningful separation it's just a slightly weaker isolation boundary.

In the Azure portal, search for Resource Guards and create one. Give it a name like rg-mua-guard, place it in a separate resource group (or subscription if you have one), same region as your vault.

The account you use for this should ideally be a different account (e.g. a break-glass admin or your personal Microsoft account if this is a small setup) the key is that your regular vault admin account must not have Contributor or Owner on the Resource Guard.

Go to your Recovery Services Vault > Properties > Multi-User Authorization > click Update and link it to the Resource Guard you just created.

From that point on, critical operations (stop backup with delete, disable soft delete, change immutability) will be blocked unless the requestor also has Backup MUA Operator role on the Resource Guard which only you control.

If you're a solo admin and only have one account, the value is still there, it adds friction and a separate approval step even for yourself, which protects against session hijacking or accidental destructive operations.

Immutable Vault applies WORM (write‑once, read‑many) semantics so recovery points cannot be deleted before retention expiry and many destructive operations are blocked. If immutability is enabled but not locked, someone with rights can disable it; locking makes immutability irreversible for the configured retention period. Test in non‑prod first.

How to manage Azure Backup Immutable vault operations - Azure Backup | Microsoft Learn

Use Cost Management > Cost analysis with filters for Resource type = Recovery Services vault / Backup and Backup Center / Backup Reports (which uses Log Analytics) to view storage and operation costs; if you don’t see changes, ensure billing tags and resource filters include the vault and that Backup Center reporting is enabled.

Azure Log Analytics Pricing | Microsoft Learn

Recommended priority order for you:

Enable Enhanced Soft Delete (always-on): low risk, irreversible but safe

Set up MUA with Resource Guard: free, no operational risk

Enable Immutability (unlocked) now, validate your retention policies via the pricing calculator

Once satisfied with policies, lock immutability

Consider Private Endpoint if your environment is VNet-based
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T12:57:48.2266667+00:00
If you enable and lock immutability on an Azure Backup vault, you cannot "stop" or delete immutable backups until their retention period expires. Even Microsoft support cannot override this. You must wait for retention to naturally expire, then delete the data. This design intentionally:

Blocks deletion of recovery points

Blocks reducing retention

Blocks disabling immutability

Blocks vault deletion if immutable data exists.

If your company later decides to exit Azure and take data out, the only way immutable backups end is when their configured retention period expires. Until then, the backups remain and continue to incur storage cost.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault#disable-immutability
MichaelB-2136 150 Reputation points

2026-03-27T14:44:10.2833333+00:00

Ok, so if we were to cancel our Azure subscription with immutability vault lock ON then further backups would stop immediately but if my policy had a 30 day retention period we'd simply still be charged for retention of data for the next 30 days?

Also, if I simply enable locked immutability does that render the resource guard pointless given that no charges can be made anyway?

Thanks so much for your assistance as always
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T14:55:09.4933333+00:00

Canceling the Azure subscription with Locked Immutability is On all backup operations stop immediately because the subscription is no longer active. No new backups are taken once the subscription is canceled or disabled. Existing recovery points remain stored and cannot be deleted early because the vault is locked with WORM (Write Once, Read Many) immutability.

You continue to be charged for the retained backup data until each recovery point naturally expires based on its configured retention (for example, 30 days). Azure Backup does not waive storage charges simply because the subscription is canceled if immutable data is still under retention. Once the last recovery point expires, storage is released and charges stop automatically.

Backups stop immediately, but storage charges continue until the retention window completes.
MichaelB-2136 150 Reputation points

2026-03-27T15:03:07.66+00:00

Perfect, and I think you missed my other question -

If I simply enable locked immutability does that render the resource guard pointless given that no charges can be made anyway? Or am I looking at that incorrectly? If Immutability + Lock is on the worst someone could do would be stop my future backups but as long as I notice before the retention period ends no data would be lost, correct?
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T17:00:14.7+00:00
Locked immutability does not make Resource Guard pointless, even though it prevents early deletion of backups and therefore prevents “avoiding charges” by deleting data. Yes, your understanding is correct, Locked immutability prevents backup deletion or retention reduction.

An attacker could stop future backups, but existing recovery points remain until retention expires.

If detected before retention expiry, no data is lost.

However, Resource Guard still adds protection by preventing attackers from changing vault security settings or disabling protections.
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-30T08:38:44.4966667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
Naveena Patlolla 9,310 Reputation points Microsoft External Staff Moderator

2026-04-01T12:43:48.9933333+00:00

Hello Michaelb-2136
We haven't heard back from you checking to see if the above answer provided by Bharath Y P helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

3 answers

Your answer

Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-25T17:55:17.3266667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-26T09:51:55.0266667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
MichaelB-2136 150 Reputation points

2026-03-26T12:23:40.1966667+00:00

Hi Bharath, thank you for your detailed response as always. A few further questions:

Q1

I dont have a Log Analytics workspace currently. Is there a cost to this?

Am I able to also add email alerts for attempts to modify or delete backup data here also?

Q2

Could you further explain creating Resource Guard in another subscription/resource group?

Is there further cost to this also (creating another resource group)?

Q4

So by turning on Immutable Vault, it simply stops any modifications to any current backup policies, the ability to delete any backups prior to their expiry date, correct?

If the above is correct, I can just turn off Immutable Vault to then re-modify above?

If above is correct also, I don't really see the point of the immutability if a compromised account could simply turn it off (until it is locked) - sorry I just want to fully understand this setting before enabling it in any capacity

Furthermore, I have been looking to analyse the cost of my new vault standard backups before locking immutability however the cost of the backups does not appear to show up anywhere on Cost Analystics. I started using Vault Standard at the start of this March and but my daily costs from prior to the vault backups to now appear to be the same. How do I see the actual cost of my backups?

Finally, are there any other suggestions you have to increase the security of a vault? Thanks for your time as always.
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T12:57:48.2266667+00:00

If you enable and lock immutability on an Azure Backup vault, you cannot "stop" or delete immutable backups until their retention period expires. Even Microsoft support cannot override this. You must wait for retention to naturally expire, then delete the data. This design intentionally:

Blocks deletion of recovery points

Blocks reducing retention

Blocks disabling immutability

Blocks vault deletion if immutable data exists.

If your company later decides to exit Azure and take data out, the only way immutable backups end is when their configured retention period expires. Until then, the backups remain and continue to incur storage cost.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault#disable-immutability
MichaelB-2136 150 Reputation points

2026-03-27T14:44:10.2833333+00:00

Ok, so if we were to cancel our Azure subscription with immutability vault lock ON then further backups would stop immediately but if my policy had a 30 day retention period we'd simply still be charged for retention of data for the next 30 days?

Also, if I simply enable locked immutability does that render the resource guard pointless given that no charges can be made anyway?

Thanks so much for your assistance as always
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T14:55:09.4933333+00:00

Canceling the Azure subscription with Locked Immutability is On all backup operations stop immediately because the subscription is no longer active. No new backups are taken once the subscription is canceled or disabled. Existing recovery points remain stored and cannot be deleted early because the vault is locked with WORM (Write Once, Read Many) immutability.

You continue to be charged for the retained backup data until each recovery point naturally expires based on its configured retention (for example, 30 days). Azure Backup does not waive storage charges simply because the subscription is canceled if immutable data is still under retention. Once the last recovery point expires, storage is released and charges stop automatically.

Backups stop immediately, but storage charges continue until the retention window completes.
MichaelB-2136 150 Reputation points

2026-03-27T15:03:07.66+00:00

Perfect, and I think you missed my other question -

If I simply enable locked immutability does that render the resource guard pointless given that no charges can be made anyway? Or am I looking at that incorrectly? If Immutability + Lock is on the worst someone could do would be stop my future backups but as long as I notice before the retention period ends no data would be lost, correct?
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-27T17:00:14.7+00:00

Locked immutability does not make Resource Guard pointless, even though it prevents early deletion of backups and therefore prevents “avoiding charges” by deleting data. Yes, your understanding is correct, Locked immutability prevents backup deletion or retention reduction.

An attacker could stop future backups, but existing recovery points remain until retention expires.

If detected before retention expiry, no data is lost.

However, Resource Guard still adds protection by preventing attackers from changing vault security settings or disabling protections.
Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-30T08:38:44.4966667+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks
Naveena Patlolla 9,310 Reputation points Microsoft External Staff Moderator

2026-04-01T12:43:48.9933333+00:00

Hello Michaelb-2136
We haven't heard back from you checking to see if the above answer provided by Bharath Y P helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

MichaelB-2136 150

Hi Bharath, sorry for the late reply, I just havent gotten to the point of locked immutability yet and left this open in case I needed further assistance with what you explained above.

0 comments

Answer 2

MichaelB-2136 150

What happens if I enable locked immutability but then my company decide to stop using the cloud and take our data out? How would I stop the immutable backups?

0 comments

Answer 3

Hello Michaelb-2136, Thank you for posting your query on Microsoft Q&A platform.

You want to increase backup vault security and are struggling with several areas:

Alerts : You want notifications for first backup failures, suspicious activities, and any vault/backup deletions or stoppages.
Extra job protection : You read about “passwords for jobs” to prevent stopped backups but can’t find it.
Restricting changes : You want only your account to make any vault changes.
Immutable vault : You want to understand what enabling it does before locking.

You also feel that simple tasks like email alerts are overly complicated.

Real-Time Email Alerts: Default vault alerts only trigger on PersistentDegraded (multiple failures), not the first failure. Built-in alerts are throttled to reduce noise. For real-time monitoring, you need Log Analytics to catch every event.

Steps:

Go to your Vault > Diagnostic Settings > Add Diagnostic Setting.
Select CoreAzureBackup and AddonAzureBackupAlerts.
Send these logs to a Log Analytics Workspace.
In the workspace, go to Logs → New Alert Rule.
Create a query like:

BackupItemCustomerManaged 
| where Status == "Failed"

Set up an Action Group to receive email/SMS notifications.

Overview of Azure Monitor alerts - Azure Monitor | Microsoft Learn

The "Password" for Jobs (Resource Guard): You want extra protection for critical backup operations. Azure doesn’t have a literal job password. Instead, Resource Guard + Multi-User Authorization (MUA) ensures critical operations cannot be executed without approval from a separate owner.

Steps:

Create a Resource Guard in a separate subscription or resource group (isolation helps security).
Go to your Backup Vault > Properties > Multi-User Authorization.
Link the vault to the Resource Guard.
Now, any critical operations (disable soft delete, stop backup, delete vault) require approval from the Resource Guard owner.

This is effectively the “password” that prevents a single compromised account from deleting backups.

Multiuser Authorization Using Resource Guard - Azure Backup | Microsoft Learn

Restricting Access to Only Your Account: Prevent anyone else from making changes to your vault. Even Admins can inherit permissions at the subscription level.

Steps:

Go to Vault > Access Control (IAM) > Role Assignments.
Look for roles like Backup Contributor, Backup Admin, Owner.
Remove everyone except your account.
Ensure you retain the Backup Admin role to manage backups.

Only your account can make vault changes.

What is Azure role-based access control (Azure RBAC)? | Microsoft Learn

Manage Backups with Azure role-based access control - Azure Backup | Microsoft Learn

Manage Backup vaults - Azure Backup | Microsoft Learn

Immutable Vault: Understanding what turning on immutability does before "locking" it.

In the vault, go to Properties > Security Settings > Immutable Vault.
Enable immutability prevents deletion/modification of recovery points.
If locked, immutability becomes permanent cannot be disabled or altered.
- Enabled (not locked): You can still turn it off later.
- Locked: Irreversible, ensures WORM compliance.

Concept of Immutable Vault for Azure Backup - Azure Backup | Microsoft Learn

Hope this helps. and please feel free to reach out if you have any further questions. Thanks

Bharath Y P 7,080 Reputation points Microsoft External Staff Moderator

2026-03-31T08:36:52.9633333+00:00

Hello Michaelb-2136, I just wanted to kindly follow up to check, If the provided answer is helpful, it would be great if you could accept the answer and up-vote. This helps other community members who might face the same issue. Thanks

Share via

Increase Vault Security

3 answers

Your answer