![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 60%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 7.000000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hello, @Thakur, Shubhankar11
Here is a recommendation https://learn.microsoft.com/en-us/answers/questions/1808654/how-to-improve-security-level-for-backup-vault
Here is a resume of what you would see in the URL above:
- Enable Soft Delete (Required)
Prevents accidental or malicious deletion of backup items like VMs, SQL databases, etc.
Navigate to your Recovery Services Vault > Properties > Ensure Soft Delete is Enabled.
- Mandatory for Azure VM backups.
- Enable Multi-User Authorization (MUA) for Critical Operations
Adds a layer of protection for sensitive actions (e.g., delete backup data, modify protection).
Go to Vault > Properties > Security Settings > Enable Multi-User Authorization (MUA).
Requires a separate Security PIN to authorize critical operations.
This protects against malicious insiders or compromised accounts.
- Enable Immutable Vault (Preview or GA)
Makes the vault read-only for a configured retention period (ideal for ransomware protection).
Go to Properties > Enable Immutable Vault.
Configure retention lock to prevent tampering.
- Use Customer-Managed Keys (CMK) for Encryption
Instead of platform-managed keys, use Azure Key Vault to control encryption keys.
Create a Key Vault and assign access.
Go to Vault > Properties > Encryption > Select Customer Managed Key.
- Audit and Enable Logging
Enable Azure Monitor diagnostics to track backup and restore operations.
Go to Vault > Diagnostic Settings:
Send logs to Log Analytics, Storage, or Event Hub.
Monitor operations, failures, and suspicious access.
- Use Private Endpoints (Optional but Recommended)
Restrict access to the Recovery Services Vault to only your private network.
Go to Vault > Networking > Enable Private Endpoint.
Blocks public access unless explicitly allowed.
- RBAC and Least Privilege Access
Review who has access to the vault. Use Role-Based Access Control (RBAC):
Only grant access to necessary users.
Use built-in roles like Backup Contributor or custom roles with limited scope.
- Enable Alerts for Suspicious Activity
Go to Vault > Monitoring > Backup Alerts:
- Enable built-in alerts for:
- Failed backups
- Unusual deletion requests
- Restore activityTo improve the security level of your Azure Recovery Services Vault
😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!