Earlier in the year, I wrote a blog post on Auditing for Disaster Recovery with Azure Policy, where I showed you how to take the existing “Audit virtual machines without disaster recovery configured” Azure Policy, and modify it so that you can control the audit against specific Tag, say ‘Environment’ : ‘Production’.
Now let’s consider the same scenario, but with Azure Backup.
Existing Policy
Recently, the Azure Backup team has created and released 2 Azure Backup policies in Azure Policy, namely:
- Azure Backup should be enabled for Virtual Machines
- Configure backup on VMs of a location to an existing central Vault in the same location

We’re going to use this first policy (like we did with the ASR policy) and customize it further for our more specific needs.
If you look at the actual policy definition, you’ll see that it is checking all Microsoft.Compute objects and looks for Microsoft.RecoveryServices/backupprotecteditems.

Customize the Policy
So now that we see the ‘what’ and ‘how of the policy for Azure Backup, we can modify it to meet our more specific needs. If we were to deploy this policy as-is, and perhaps assign it at the Management Group, Subscription, or Resource Group level, there is a good chance that we would be auditing a non-production system. And so, our compliance score/metric will be off, since we’re checking against resources that we don’t necessarily want to audit ‘backup compliance’ against.
Let’s duplicate the built-in policy and modify it for our needs. We can add a Tag Name and Tag Value to the parameters, like so…

In this example, I am specifying that I want to only check against resources (in this case VMs, since the Policy Rule checks only against Microsoft.Compute/virtualMachines), which includes the Tag ‘Environment’ with a value of ‘Production’. But of course, this is just an example, and you can customize it however you need it. You could, for example, include an array list of values to check against.
Within the actual Policy Rule, we need to modify it a little by using the ‘allOf’ rule structure (so that we can add our Tag check in addition to the existing ‘virtualMachine’ resource check) and then include the reference to the Tag Name and Value parameters.

So now, we’ve taken a built-in policy, and tweaked it to control what we’re auditing for/against. In this case, we are checking all Microsoft.Compute/virtualMachines that also have the Tag Name of ‘Environment’ with a Tag Value of ‘Production’, and auditing if they are protected by Azure Backup.
This way, if a VM resource does not have this tag, or it’s labeled with a different ‘environment’ value, it will not show up as a false-positive, and throw off our report on compliance.

I hope this article will help you more accurately and specifically audit for backup in your Azure environments.