🛡️ Essential 8 Guide

Backups of data, applications and settings are retained in a secure and resilient manner.

Summary

Store backups in Azure Backup Vault with geo-redundancy and encryption enabled to protect data from loss and enable recoverability across regions. This approach uses Azure Backup’s encryption at rest by default and supports cross-region redundancy to guard against regional disasters.¹²³

Justification

Azure Backup with geo-redundant storage (GRS) ensures backup data is replicated to a secondary region at least 400 km from the primary, providing resilience against regional outages, natural disasters, and ransomware events that corrupt primary storage.

Encryption at rest (AES-256, platform-managed keys by default) satisfies the ISM requirement that backup data be protected from unauthorised access, which is particularly important for classified and sensitive information covered by PSPF.

Combining vault-level RBAC, JIT access via Privileged Identity Management, and MFA enforcement for critical backup operations (restore, retention change, delete) directly counters insider threat and accidental deletion scenarios — the most common causes of backup compromise in organisational environments.

Azure Backup Vault soft-delete provides a 14-day recovery window for accidentally deleted backup items, while immutable vault policies (available in Recovery Services vaults) prevent any retention reduction or vault deletion — directly addressing the ACSC requirement for secure and resilient backup retention.

Design Decision

[!NOTE] Backups will be stored in the Recovery Services vault with Geo-Redundant Storage enabled. Encryption will be enabled, using platform-managed keys by default, with the option to configure customer-managed keys.

Prerequisites

Dependencies

• Create a Recovery Services vault or Backup vault in Azure to store backups; the vault is the container for backup data and is the first step in configuring backups¹.
• If backing up Windows Server with the Microsoft Azure Recovery Services (MARS) agent, install and register the agent and create a backup policy⁴.
• For geo-redundant backups, configure storage redundancy to Geo-Redundant Storage (GRS) for Recovery Services vaults. This can be done via supported tooling/procedures to ensure geographic resilience⁵².
• Encryption is enabled at rest by default using platform-managed keys; you may opt for customer-managed keys using Azure Key Vault if required for additional control over encryption keys²⁶.
• If using customer-managed keys, prepare and configure the keys in Azure Key Vault, include keys in the backup scope, and follow key management practices⁶.

Permissions/Roles

• Assign appropriate Azure RBAC roles for backup operations, such as Backup Contributor, Backup Reader, and Backup Operator to enforce least privilege and proper separation of duties⁶.
• Enforce multi-factor authentication (MFA) for critical backup operations, including restore, retention changes, backup deletion, and vault configuration⁶.
• Enable Just-In-Time (JIT) access for backup administrator tasks using a time-bound access mechanism (e.g., via privileged identity management) to reduce standing privileges⁶.

Implementation Steps

Store backups in Azure Backup Vault with geo-redundancy and encryption enabled

1. Register the Azure Recovery Services provider for your subscription.

Register-AzResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"

⁵

1. Create or select a Resource Group and place the Recovery Services vault in the same location.

New-AzResourceGroup -Name "your-rg" -Location "WestUS"

⁵

1. Create the Recovery Services vault in the same location as the Resource Group.

New-AzRecoveryServicesVault -Name "your-testvault" -ResourceGroupName "your-rg" -Location "WestUS"

⁵

1. Configure the vault to use geo-redundant storage (GeoRedundant) for backup data.

$Vault1 = Get-AzRecoveryServicesVault -Name "your-testvault"
Set-AzRecoveryServicesBackupProperties -Vault $Vault1 -BackupStorageRedundancy GeoRedundant

⁵

1. Ensure backup data is encrypted at rest and in transit. By default, Azure Backup uses platform-managed keys (AES-256) for encryption. ²

2. Optionally configure customer-managed keys (CMK) in a Key Vault for backup encryption. If using CMK, ensure the key is protected with soft delete and purge protection, and that the key is included in the backup scope. ⁶

3. On each machine, create a backup policy using the MARS agent to back up files, folders, and system state as required.

   • After you download and register the MARS agent, open the agent console. You can find it by searching your machine for “Microsoft Azure Backup”.
   • Under Actions, select Schedule Backup.
   • In the Schedule Backup Wizard, select Getting started > Next.
   • Under Select Items to Back up, select Add Items.
   • In the Select Items box, select items to back up, and then select OK.
   • On the Select Items to Back Up page, select Next.
   • On the Specify Backup Schedule page, specify when to take daily or weekly backups. Then select Next.
   • A recovery point is created when a backup is taken. The number of recovery points depends on the backup schedule.
   • You can schedule up to three daily backups per day. You can run weekly backups as well, with the example schedules described in the UI.
   • On the Select Retention Policy page, specify how to store historical copies of your data. Then select Next.
   • On the Choose Initial Backup Type page, decide if you want to take the initial backup over the network or use offline backup. To take the initial backup over the network, select Automatically over the network > Next.
   • On the Confirmation page, review the information, and then select Finish.
   • After the wizard finishes creating the backup schedule, select Close.
   • Create a policy on each machine where the agent is installed. ⁴

Apply Microsoft Purview Retention Policies to OneDrive Known Folder Move (KFM) Data

When OneDrive Known Folder Move (KFM) redirects Desktop, Documents, and Pictures to OneDrive for Business, those files fall within the scope of Microsoft Purview retention policies. Configuring a retention policy on OneDrive ensures that previous file versions are preserved in the Preservation Hold Library — a hidden, tamper-resistant area of each user’s OneDrive that is not accessible to end users or administrators outside of compliance tools.

This protects against the primary failure modes that backup retention addresses:

• Ransomware overwrite — encrypted or corrupted files are held as prior clean versions in the Preservation Hold Library for the full retention duration, even if the user’s visible copy is compromised.
• Accidental or malicious deletion — deleted files are retained beyond the standard 93-day recycle bin window, recoverable by compliance administrators via Microsoft Purview Content Search or eDiscovery.
• Version squashing — if a ransomware event overwrites hundreds of file versions, the pre-encryption versions remain as immutable retention copies.

[!NOTE] Purview retention policies complement (but do not replace) OneDrive’s native 500-version history. Retention policies extend recoverable history to weeks, months, or years depending on the configured retention duration, and are recoverable by compliance admins independent of user actions.

To configure a Purview retention policy covering OneDrive KFM data:

1. Navigate to Microsoft Purview > Data lifecycle management > Retention policies > + New retention policy.
2. Name the policy (e.g., KFM-OneDrive-Retain-7yr) and select Static scope.
3. Under Locations, enable OneDrive accounts and scope to all users or a specific group that has KFM enforced.
4. Set the retention action to Retain items even if users delete them and configure the duration (e.g., 7 years for PROTECTED data under AFDA).
5. Leave Delete items after the retention period unchecked if indefinite preservation is required, or set a deletion age aligned to records disposal authorities.
6. Submit and allow up to 7 days for the policy to propagate across all OneDrive accounts.⁷

Microsoft 365 Backup — Point-in-Time Restores for OneDrive for Business

Microsoft 365 Backup provides a dedicated, append-only backup service for OneDrive for Business that supports point-in-time restores — rolling back an entire OneDrive account (or granular files and folders) to a specific moment in the past, independent of versioning history or the recycle bin.

This is the primary mechanism for meeting the ISM-1811 requirement for resilient retention in a Microsoft 365 environment, as backup data is stored in immutable, append-only storage that cannot be modified or deleted by user actions, ransomware, or even Global Administrators during the retention period.⁸

Recovery granularity and speed:

Restore options:

• Full account restore (in-place): Replaces the current OneDrive content with the state at the selected restore point. Use for catastrophic ransomware or mass-deletion events. Select the restore point, choose In-place restore, and confirm — M365 Backup handles the rollback.
• Full account restore (new URL): Creates a non-destructive copy of the OneDrive at a new URL. Allows side-by-side comparison before committing to replacement — preferred where selective recovery is needed.
• Granular file/folder restore (preview): Browse to a specific restore point, select individual files or folders, and restore to the original location or a new path without affecting other content.³

[!NOTE] Microsoft 365 Backup is licensed separately (Microsoft 365 Backup add-on) and is available for commercial (GCC High and DoD not currently supported). It complements — but does not replace — Purview retention policies. Retention policies preserve compliance copies; M365 Backup enables rapid operational recovery.

To enable Microsoft 365 Backup for OneDrive:

1. In the Microsoft 365 admin center, go to Settings > Microsoft 365 Backup.
2. Enable the OneDrive workload and select the accounts or groups to protect.
3. Review the pricing impact (charged per protected GB/month) and confirm activation.
4. For full account restores: navigate to Backup > OneDrive > select the affected account > Restore > choose a restore point > select restore type (in-place or new URL).
5. For granular restores: select the account > Browse restore points > navigate to the target point in time > select files/folders > Restore to original location.³

Additional related information

• Azure Backup Center provides a unified management experience to govern, monitor, operate, and analyze backups at scale Azure Backup Center
• Azure Backup architecture explains data isolation, encryption options, immutability, and cross-region restore for robust backups Azure Backup architecture
• Backup and Recovery security guidance covers MFA, private endpoints, soft delete, and audit logging to protect backup data and operations Backup and Recovery
• About Azure Data Lake Storage vaulted backup describes vaulted backup configuration and retention at the storage account level for ADLS backups About Azure Data Lake Storage vaulted backup
• Why Pursue ACSC Essential Eight User Backup Guidelines? outlines essential backup guidelines including vault types and the MARS agent usage Why Pursue ACSC Essential Eight User Backup Guidelines?
• Understanding periodic backup configuration in Azure Service Fabric explains backup policies, schedules, and retention for Service Fabric clusters Understanding periodic backup configuration in Azure Service Fabric
• Learn about retention for SharePoint and OneDrive covers how Purview retention policies preserve versions in the Preservation Hold Library, protecting KFM-redirected files from ransomware overwrite and deletion beyond the native recycle bin Learn about retention for SharePoint and OneDrive — Microsoft Purview
• Overview of Microsoft 365 Backup describes the append-only immutable backup service for OneDrive, SharePoint, and Exchange with 10-minute restore points for the first 14 days Overview of Microsoft 365 Backup
• Restore data in Microsoft 365 Backup details full-account (in-place or new URL) and granular file/folder restore options with step-by-step guidance Restore data in Microsoft 365 Backup