🛡️ Essential 8 Guide

Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.

Summary

This control ensures backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements, covering workstations, on-premises servers, Azure servers, and Microsoft 365 content.

Implementing this control strengthens resilience against data loss and supports secure recovery by leveraging Azure Backup security capabilities, access controls, and governance.

Design Decision

[!NOTE] The Windows Backup and Restore enrollment for Worksations will be enabled, with the Show restore page enabled and OneDrive for Business automatically enabled with Known Folder Backup. The Microsoft Azure Recovery Services agent will be used to protect On-Prem Servers using the DPM or Azure Backup Server agent to protect on-premises systems, and to back up Azure Servers with Microsoft Azure Recovery Services agent for Azure VMs. The content from Sharepoint, Exchange Online, and OneDrive will be backed up and restored by Microsoft 365 Backup.

Prerequisites

• OneDrive (KFM): Users must be licensed for Microsoft 365 (Business, E3, or E5). OneDrive sync client version 19.123.0624 or later deployed to workstations.
• MARS agent (on-prem servers): A Recovery Services vault created in the target Azure subscription; vault credentials file downloaded; .NET Framework 4.5.2 or later installed on the server; outbound HTTPS (port 443) to *.backup.windowsazure.com.
• Azure VMs: VMs must be in the same region as the Recovery Services vault. The Microsoft.RecoveryServices resource provider must be registered. Assign Backup Contributor, Backup Operator, and Virtual Machine Contributor RBAC roles to the Backup service principal or managed identity.¹
• Microsoft 365 Backup: Microsoft 365 Backup is a pay-as-you-go add-on. Billing is provisioned via the Microsoft 365 admin centre → Billing → Purchase services. The account performing setup must hold the Global Admin or M365 Backup Admin role.²

Implementation Steps

Worksations: Enable “Windows Backup and Restore” enrollment and turn on the “Show restore page” and enable OneDrive for Business with Known Folder Backup

Configure OneDrive Known Folder Move (KFM) via Intune

1. In the Microsoft Intune admin centre, go to Devices → Configuration → Create → New Policy.
2. Platform: Windows 10 and later; Profile type: Administrative templates.
3. Search for “Silently move Windows known folders to OneDrive” (Computer Configuration):
   • Set to Enabled; enter your Tenant ID in the field provided.
4. Search for “Prompt users to move Windows known folders to OneDrive”:
   • Set to Enabled to surface a user notification if silent move fails.
5. Search for “Prevent users from redirecting their Windows known folders to their PC”:
   • Set to Enabled after initial KFM rollout is complete (locks folders to OneDrive).
6. Search for “Prevent users from moving their Windows known folders to OneDrive”:
   • Keep Disabled (the default) so that KFM redirection is allowed.
7. Assign the policy to the relevant device or user group and select Review + save.
8. Verify in OneDrive Settings (system tray → gear icon → Settings → Backup → Manage backup) that Desktop, Documents, and Pictures are shown with a sync icon.³

On-Prem Servers: Enable Microsoft Azure Recovery Services agent to use the DPM or Azure Backup Server agent to protect on-premises systems

Install and register the MARS agent

1. In the Azure portal, go to Recovery Services vaults → (your vault) → Getting started → Backup.
2. Under “Where is your workload running?” select On-premises; under “What do you want to back up?” select Files and folders. Click Prepare infrastructure.
3. Download the Microsoft Azure Recovery Services Agent installer (MARSAgentInstaller.exe) and the vault credentials file.
4. On the server, run MARSAgentInstaller.exe, accept the installation path and proxy settings, then click Proceed to Registration.
5. When prompted, browse to the downloaded vault credentials file.
6. Create a passphrase (minimum 16 characters). Store this passphrase in Azure Key Vault immediately — it cannot be recovered by Microsoft and is required for any restore.
7. Once registration completes, launch Microsoft Azure Backup (Start menu) and click Schedule Backup.
8. Select the folders/volumes to protect, set the backup frequency (up to 3× / day), and configure retention (daily, weekly, monthly, yearly tiers) to match business continuity requirements.
9. Click Finish to save the policy; the first backup will seed immediately.⁴

Azure Servers: Use Microsoft Azure Recovery Services agent to backup Azure VMs

Create a Recovery Services vault and configure VM backup

1. In the Azure portal, go to Recovery Services vaults → Create. Select the subscription, resource group, vault name, and the same region as the VMs to protect. Click Review + create.
2. Assign RBAC roles at the vault scope:
   • Backup Contributor — allows vault and policy management.
   • Backup Operator — allows triggering backups and restores.
   • Virtual Machine Contributor — required on the VM resource group.
3. In the vault, go to Backup → Azure Virtual Machine. Select Backup policy → Create a new policy. Set:
   • Frequency: Daily or hourly as required.
   • Instant restore: Retain snapshots for 1–5 days.
   • Retention: Configure daily, weekly, monthly, yearly tiers to match business continuity requirements.
4. Select the VMs to protect and click Enable Backup.
5. Enable immutable vault to protect backup data against deletion or tampering (WORM compliance):
   • Vault → Properties → Immutability → click Enable vault immutability.
   • Optionally click Lock to make the setting irreversible (recommended for high-classification data). Note: locking is permanent and cannot be undone.⁵
6. Optionally enable Multi-user authorisation (MUA) via a Resource Guard in a separate subscription to prevent single-admin deletion of backups.¹

Microsoft 365: Backup and restore content from Sharepoint, Exchange Online, and OneDrive using “Microsoft 365 Backup”

Enable and configure Microsoft 365 Backup

1. In the Microsoft 365 admin centre, go to Setup → Microsoft 365 Backup (or search “Backup” in the top search bar).
2. Click Get started. Review billing terms — M365 Backup is charged per GB of protected data (pay-as-you-go).
3. Assign the Microsoft 365 Backup Administrator role to the backup operator account:
   • Microsoft 365 admin centre → Roles → Role assignments → Search “Backup”.
4. Select the workloads to protect:
   • Exchange Online — protects mailboxes (email, calendar, contacts).
   • SharePoint Online — protects site collections.
   • OneDrive for Business — protects user drives (supplement to KFM sync).
5. Choose the retention period. Default is 365 days; extended retention (up to 7 years for compliance) may be available depending on licensing tier.
6. Click Save to activate backup jobs. Initial seeding may take several hours for large tenants.
7. To enforce immutable retention on backed-up content, create a Microsoft Purview Retention Policy targeting the relevant workloads:
   • Set action to Retain items for a specific period with Do not delete selected.
   • Apply to the SharePoint/OneDrive locations corresponding to the backup scope.
8. Validate by performing a test restore: Admin centre → Backup → Restore → select a workload, choose a point-in-time, and restore a single item to confirm the end-to-end flow works before a real incident occurs.²⁶

Additional related information

• About Backup center for Azure Backup and Azure Site Recovery provides unified backup management including governance, monitoring, and analysis across vaults and workloads About Backup center for Azure Backup and Azure Site Recovery
• Azure Backup service documentation provides policy-based enablement and management guidance for protecting workloads Azure Backup service documentation
• Why Pursue ACSC Essential Eight User Backup Guidelines covers RBAC, multi-user authorization, and policy protections for backups Why Pursue ACSC Essential Eight User Backup Guidelines?
• Azure Disk Backup overview describes incremental snapshots and policy-driven retention for managed disks Overview of Azure Disk Backup