Earlier in the year, I wrote a blog post on Auditing for Disaster Recovery with Azure Policy, where I showed you how to take the existing “Audit virtual machines without disaster recovery configured” Azure Policy, and modify it so that you can control the audit against specific Tag, say ‘Environment’ : ‘Production’.

Now let’s consider the same scenario, but with Azure Backup.

Existing Policy

Recently, the Azure Backup team has created and released 2 Azure Backup policies in Azure Policy, namely:

  • Azure Backup should be enabled for Virtual Machines
  • Configure backup on VMs of a location to an existing central Vault in the same location
Azure Policy – Azure Backup

We’re going to use this first policy (like we did with the ASR policy) and customize it further for our more specific needs.

If you look at the actual policy definition, you’ll see that it is checking all Microsoft.Compute objects and looks for Microsoft.RecoveryServices/backupprotecteditems.

Azure Policy – Azure Backup – Definition

Customize the Policy

So now that we see the ‘what’ and ‘how of the policy for Azure Backup, we can modify it to meet our more specific needs. If we were to deploy this policy as-is, and perhaps assign it at the Management Group, Subscription, or Resource Group level, there is a good chance that we would be auditing a non-production system. And so, our compliance score/metric will be off, since we’re checking against resources that we don’t necessarily want to audit ‘backup compliance’ against.

Let’s duplicate the built-in policy and modify it for our needs. We can add a Tag Name and Tag Value to the parameters, like so…

Azure Policy – Azure Backup – New Parameters

In this example, I am specifying that I want to only check against resources (in this case VMs, since the Policy Rule checks only against Microsoft.Compute/virtualMachines), which includes the Tag ‘Environment’ with a value of ‘Production’. But of course, this is just an example, and you can customize it however you need it. You could, for example, include an array list of values to check against.

Within the actual Policy Rule, we need to modify it a little by using the ‘allOf’ rule structure (so that we can add our Tag check in addition to the existing ‘virtualMachine’ resource check) and then include the reference to the Tag Name and Value parameters.

Azure Policy – Azure Backup – New Policy Rules

So now, we’ve taken a built-in policy, and tweaked it to control what we’re auditing for/against. In this case, we are checking all Microsoft.Compute/virtualMachines that also have the Tag Name of ‘Environment’ with a Tag Value of ‘Production’, and auditing if they are protected by Azure Backup.

This way, if a VM resource does not have this tag, or it’s labeled with a different ‘environment’ value, it will not show up as a false-positive, and throw off our report on compliance.

Azure Policy – Azure Backup – Compliance Check

I hope this article will help you more accurately and specifically audit for backup in your Azure environments.