Microsoft.RecoveryServices vaults

Bicep resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.RecoveryServices/vaults resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.RecoveryServices/vaults@2024-10-01' = {
  etag: 'string'
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    encryption: {
      infrastructureEncryption: 'string'
      kekIdentity: {
        userAssignedIdentity: 'string'
        useSystemAssignedIdentity: bool
      }
      keyVaultProperties: {
        keyUri: 'string'
      }
    }
    monitoringSettings: {
      azureMonitorAlertSettings: {
        alertsForAllFailoverIssues: 'string'
        alertsForAllJobFailures: 'string'
        alertsForAllReplicationIssues: 'string'
      }
      classicAlertSettings: {
        alertsForCriticalOperations: 'string'
        emailNotificationsForSiteRecovery: 'string'
      }
    }
    moveDetails: {}
    publicNetworkAccess: 'string'
    redundancySettings: {
      crossRegionRestore: 'string'
      standardTierStorageRedundancy: 'string'
    }
    resourceGuardOperationRequests: [
      'string'
    ]
    restoreSettings: {
      crossSubscriptionRestoreSettings: {
        crossSubscriptionRestoreState: 'string'
      }
    }
    securitySettings: {
      immutabilitySettings: {
        state: 'string'
      }
      softDeleteSettings: {
        enhancedSecurityState: 'string'
        softDeleteRetentionPeriodInDays: int
        softDeleteState: 'string'
      }
    }
    upgradeDetails: {}
  }
  sku: {
    capacity: 'string'
    family: 'string'
    name: 'string'
    size: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

AzureMonitorAlertSettings

Name Description Value
alertsForAllFailoverIssues 'Disabled'
'Enabled'
alertsForAllJobFailures 'Disabled'
'Enabled'
alertsForAllReplicationIssues 'Disabled'
'Enabled'

ClassicAlertSettings

Name Description Value
alertsForCriticalOperations 'Disabled'
'Enabled'
emailNotificationsForSiteRecovery 'Disabled'
'Enabled'

CmkKekIdentity

Name Description Value
userAssignedIdentity The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned string
useSystemAssignedIdentity Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field bool

CmkKeyVaultProperties

Name Description Value
keyUri The key uri of the Customer Managed Key string

CrossSubscriptionRestoreSettings

Name Description Value
crossSubscriptionRestoreState 'Disabled'
'Enabled'
'PermanentlyDisabled'

IdentityData

Name Description Value
type The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityDataUserAssignedIdentities

IdentityDataUserAssignedIdentities

Name Description Value

ImmutabilitySettings

Name Description Value
state 'Disabled'
'Locked'
'Unlocked'

Microsoft.RecoveryServices/vaults

Name Description Value
etag Optional ETag. string
identity Identity for the resource. IdentityData
location Resource location. string (required)
name The resource name string (required)
properties Properties of the vault. VaultProperties
sku Identifies the unique system identifier for each Azure resource. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates

MonitoringSettings

Name Description Value
azureMonitorAlertSettings Settings for Azure Monitor based alerts AzureMonitorAlertSettings
classicAlertSettings Settings for classic alerts ClassicAlertSettings

RestoreSettings

Name Description Value
crossSubscriptionRestoreSettings Settings for CrossSubscriptionRestore CrossSubscriptionRestoreSettings

SecuritySettings

Name Description Value
immutabilitySettings Immutability Settings of a vault ImmutabilitySettings
softDeleteSettings Soft delete Settings of a vault SoftDeleteSettings

Sku

Name Description Value
capacity The sku capacity string
family The sku family string
name Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig 'RS0'
'Standard' (required)
size The sku size string
tier The Sku tier. string

SoftDeleteSettings

Name Description Value
enhancedSecurityState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'
softDeleteRetentionPeriodInDays Soft delete retention period in days int
softDeleteState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'

TrackedResourceTags

Name Description Value

UpgradeDetails

Name Description Value

UserIdentity

Name Description Value

VaultProperties

Name Description Value
encryption Customer Managed Key details of the resource. VaultPropertiesEncryption
monitoringSettings Monitoring Settings of the vault MonitoringSettings
moveDetails The details of the latest move operation performed on the Azure Resource VaultPropertiesMoveDetails
publicNetworkAccess property to enable or disable resource provider inbound network traffic from public clients 'Disabled'
'Enabled'
redundancySettings The redundancy Settings of a Vault VaultPropertiesRedundancySettings
resourceGuardOperationRequests ResourceGuardOperationRequests on which LAC check will be performed string[]
restoreSettings Restore Settings of the vault RestoreSettings
securitySettings Security Settings of the vault SecuritySettings
upgradeDetails Details for upgrading vault. UpgradeDetails

VaultPropertiesEncryption

Name Description Value
infrastructureEncryption Enabling/Disabling the Double Encryption state 'Disabled'
'Enabled'
kekIdentity The details of the identity used for CMK CmkKekIdentity
keyVaultProperties The properties of the Key Vault which hosts CMK CmkKeyVaultProperties

VaultPropertiesMoveDetails

Name Description Value

VaultPropertiesRedundancySettings

Name Description Value
crossRegionRestore Flag to show if Cross Region Restore is enabled on the Vault or not 'Disabled'
'Enabled'
standardTierStorageRedundancy The storage redundancy setting of a vault 'GeoRedundant'
'Invalid'
'LocallyRedundant'
'ZoneRedundant'

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Azure Backup for Workload in Azure Virtual Machines This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection
Backup existing File Share using Recovery Services (Daily) This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values.
Backup existing File Share using Recovery Services (hourly) This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values.
Backup Resource Manager VMs using Recovery Services vault This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group
Create a Recovery Services vault with advanced options This template creates a Recovery Services vault that will be used further for Backup and Site Recovery.
Create Daily Backup Policy for RS Vault to protect IaaSVMs This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs.
Create Recovery Services Vault and Enable Diagnostics This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace.
Create Recovery Services Vault with backup policies This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock.
Create Recovery Services Vault with default options Simple template that creates a Recovery Services Vault.
Create Weekly Backup Policy for RS Vault to protect IaaSVMs This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs.
Deploy a Windows VM and enable backup using Azure Backup This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection.

ARM template resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.RecoveryServices/vaults resource, add the following JSON to your template.

{
  "type": "Microsoft.RecoveryServices/vaults",
  "apiVersion": "2024-10-01",
  "name": "string",
  "etag": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "encryption": {
      "infrastructureEncryption": "string",
      "kekIdentity": {
        "userAssignedIdentity": "string",
        "useSystemAssignedIdentity": "bool"
      },
      "keyVaultProperties": {
        "keyUri": "string"
      }
    },
    "monitoringSettings": {
      "azureMonitorAlertSettings": {
        "alertsForAllFailoverIssues": "string",
        "alertsForAllJobFailures": "string",
        "alertsForAllReplicationIssues": "string"
      },
      "classicAlertSettings": {
        "alertsForCriticalOperations": "string",
        "emailNotificationsForSiteRecovery": "string"
      }
    },
    "moveDetails": {
    },
    "publicNetworkAccess": "string",
    "redundancySettings": {
      "crossRegionRestore": "string",
      "standardTierStorageRedundancy": "string"
    },
    "resourceGuardOperationRequests": [ "string" ],
    "restoreSettings": {
      "crossSubscriptionRestoreSettings": {
        "crossSubscriptionRestoreState": "string"
      }
    },
    "securitySettings": {
      "immutabilitySettings": {
        "state": "string"
      },
      "softDeleteSettings": {
        "enhancedSecurityState": "string",
        "softDeleteRetentionPeriodInDays": "int",
        "softDeleteState": "string"
      }
    },
    "upgradeDetails": {
    }
  },
  "sku": {
    "capacity": "string",
    "family": "string",
    "name": "string",
    "size": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

AzureMonitorAlertSettings

Name Description Value
alertsForAllFailoverIssues 'Disabled'
'Enabled'
alertsForAllJobFailures 'Disabled'
'Enabled'
alertsForAllReplicationIssues 'Disabled'
'Enabled'

ClassicAlertSettings

Name Description Value
alertsForCriticalOperations 'Disabled'
'Enabled'
emailNotificationsForSiteRecovery 'Disabled'
'Enabled'

CmkKekIdentity

Name Description Value
userAssignedIdentity The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned string
useSystemAssignedIdentity Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field bool

CmkKeyVaultProperties

Name Description Value
keyUri The key uri of the Customer Managed Key string

CrossSubscriptionRestoreSettings

Name Description Value
crossSubscriptionRestoreState 'Disabled'
'Enabled'
'PermanentlyDisabled'

IdentityData

Name Description Value
type The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityDataUserAssignedIdentities

IdentityDataUserAssignedIdentities

Name Description Value

ImmutabilitySettings

Name Description Value
state 'Disabled'
'Locked'
'Unlocked'

Microsoft.RecoveryServices/vaults

Name Description Value
apiVersion The api version '2024-10-01'
etag Optional ETag. string
identity Identity for the resource. IdentityData
location Resource location. string (required)
name The resource name string (required)
properties Properties of the vault. VaultProperties
sku Identifies the unique system identifier for each Azure resource. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.RecoveryServices/vaults'

MonitoringSettings

Name Description Value
azureMonitorAlertSettings Settings for Azure Monitor based alerts AzureMonitorAlertSettings
classicAlertSettings Settings for classic alerts ClassicAlertSettings

RestoreSettings

Name Description Value
crossSubscriptionRestoreSettings Settings for CrossSubscriptionRestore CrossSubscriptionRestoreSettings

SecuritySettings

Name Description Value
immutabilitySettings Immutability Settings of a vault ImmutabilitySettings
softDeleteSettings Soft delete Settings of a vault SoftDeleteSettings

Sku

Name Description Value
capacity The sku capacity string
family The sku family string
name Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig 'RS0'
'Standard' (required)
size The sku size string
tier The Sku tier. string

SoftDeleteSettings

Name Description Value
enhancedSecurityState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'
softDeleteRetentionPeriodInDays Soft delete retention period in days int
softDeleteState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'

TrackedResourceTags

Name Description Value

UpgradeDetails

Name Description Value

UserIdentity

Name Description Value

VaultProperties

Name Description Value
encryption Customer Managed Key details of the resource. VaultPropertiesEncryption
monitoringSettings Monitoring Settings of the vault MonitoringSettings
moveDetails The details of the latest move operation performed on the Azure Resource VaultPropertiesMoveDetails
publicNetworkAccess property to enable or disable resource provider inbound network traffic from public clients 'Disabled'
'Enabled'
redundancySettings The redundancy Settings of a Vault VaultPropertiesRedundancySettings
resourceGuardOperationRequests ResourceGuardOperationRequests on which LAC check will be performed string[]
restoreSettings Restore Settings of the vault RestoreSettings
securitySettings Security Settings of the vault SecuritySettings
upgradeDetails Details for upgrading vault. UpgradeDetails

VaultPropertiesEncryption

Name Description Value
infrastructureEncryption Enabling/Disabling the Double Encryption state 'Disabled'
'Enabled'
kekIdentity The details of the identity used for CMK CmkKekIdentity
keyVaultProperties The properties of the Key Vault which hosts CMK CmkKeyVaultProperties

VaultPropertiesMoveDetails

Name Description Value

VaultPropertiesRedundancySettings

Name Description Value
crossRegionRestore Flag to show if Cross Region Restore is enabled on the Vault or not 'Disabled'
'Enabled'
standardTierStorageRedundancy The storage redundancy setting of a vault 'GeoRedundant'
'Invalid'
'LocallyRedundant'
'ZoneRedundant'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Azure Backup for Workload in Azure Virtual Machines

Deploy to Azure
This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection
Backup existing File Share using Recovery Services (Daily)

Deploy to Azure
This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values.
Backup existing File Share using Recovery Services (hourly)

Deploy to Azure
This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values.
Backup Resource Manager VMs using Recovery Services vault

Deploy to Azure
This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group
Create a Recovery Services vault with advanced options

Deploy to Azure
This template creates a Recovery Services vault that will be used further for Backup and Site Recovery.
Create Daily Backup Policy for RS Vault to protect IaaSVMs

Deploy to Azure
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs.
Create Recovery Services Vault and Enable Diagnostics

Deploy to Azure
This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace.
Create Recovery Services Vault with backup policies

Deploy to Azure
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock.
Create Recovery Services Vault with default options

Deploy to Azure
Simple template that creates a Recovery Services Vault.
Create Weekly Backup Policy for RS Vault to protect IaaSVMs

Deploy to Azure
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs.
Deploy a Windows VM and enable backup using Azure Backup

Deploy to Azure
This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection.
IBM Cloud Pak for Data on Azure

Deploy to Azure
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses.
Openshift Container Platform 4.3

Deploy to Azure
Openshift Container Platform 4.3

Terraform (AzAPI provider) resource definition

The vaults resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.RecoveryServices/vaults resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.RecoveryServices/vaults@2024-10-01"
  name = "string"
  etag = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  sku = {
    capacity = "string"
    family = "string"
    name = "string"
    size = "string"
    tier = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      encryption = {
        infrastructureEncryption = "string"
        kekIdentity = {
          userAssignedIdentity = "string"
          useSystemAssignedIdentity = bool
        }
        keyVaultProperties = {
          keyUri = "string"
        }
      }
      monitoringSettings = {
        azureMonitorAlertSettings = {
          alertsForAllFailoverIssues = "string"
          alertsForAllJobFailures = "string"
          alertsForAllReplicationIssues = "string"
        }
        classicAlertSettings = {
          alertsForCriticalOperations = "string"
          emailNotificationsForSiteRecovery = "string"
        }
      }
      moveDetails = {
      }
      publicNetworkAccess = "string"
      redundancySettings = {
        crossRegionRestore = "string"
        standardTierStorageRedundancy = "string"
      }
      resourceGuardOperationRequests = [
        "string"
      ]
      restoreSettings = {
        crossSubscriptionRestoreSettings = {
          crossSubscriptionRestoreState = "string"
        }
      }
      securitySettings = {
        immutabilitySettings = {
          state = "string"
        }
        softDeleteSettings = {
          enhancedSecurityState = "string"
          softDeleteRetentionPeriodInDays = int
          softDeleteState = "string"
        }
      }
      upgradeDetails = {
      }
    }
  })
}

Property values

AzureMonitorAlertSettings

Name Description Value
alertsForAllFailoverIssues 'Disabled'
'Enabled'
alertsForAllJobFailures 'Disabled'
'Enabled'
alertsForAllReplicationIssues 'Disabled'
'Enabled'

ClassicAlertSettings

Name Description Value
alertsForCriticalOperations 'Disabled'
'Enabled'
emailNotificationsForSiteRecovery 'Disabled'
'Enabled'

CmkKekIdentity

Name Description Value
userAssignedIdentity The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned string
useSystemAssignedIdentity Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field bool

CmkKeyVaultProperties

Name Description Value
keyUri The key uri of the Customer Managed Key string

CrossSubscriptionRestoreSettings

Name Description Value
crossSubscriptionRestoreState 'Disabled'
'Enabled'
'PermanentlyDisabled'

IdentityData

Name Description Value
type The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityDataUserAssignedIdentities

IdentityDataUserAssignedIdentities

Name Description Value

ImmutabilitySettings

Name Description Value
state 'Disabled'
'Locked'
'Unlocked'

Microsoft.RecoveryServices/vaults

Name Description Value
etag Optional ETag. string
identity Identity for the resource. IdentityData
location Resource location. string (required)
name The resource name string (required)
properties Properties of the vault. VaultProperties
sku Identifies the unique system identifier for each Azure resource. Sku
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.RecoveryServices/vaults@2024-10-01"

MonitoringSettings

Name Description Value
azureMonitorAlertSettings Settings for Azure Monitor based alerts AzureMonitorAlertSettings
classicAlertSettings Settings for classic alerts ClassicAlertSettings

RestoreSettings

Name Description Value
crossSubscriptionRestoreSettings Settings for CrossSubscriptionRestore CrossSubscriptionRestoreSettings

SecuritySettings

Name Description Value
immutabilitySettings Immutability Settings of a vault ImmutabilitySettings
softDeleteSettings Soft delete Settings of a vault SoftDeleteSettings

Sku

Name Description Value
capacity The sku capacity string
family The sku family string
name Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig 'RS0'
'Standard' (required)
size The sku size string
tier The Sku tier. string

SoftDeleteSettings

Name Description Value
enhancedSecurityState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'
softDeleteRetentionPeriodInDays Soft delete retention period in days int
softDeleteState 'AlwaysON'
'Disabled'
'Enabled'
'Invalid'

TrackedResourceTags

Name Description Value

UpgradeDetails

Name Description Value

UserIdentity

Name Description Value

VaultProperties

Name Description Value
encryption Customer Managed Key details of the resource. VaultPropertiesEncryption
monitoringSettings Monitoring Settings of the vault MonitoringSettings
moveDetails The details of the latest move operation performed on the Azure Resource VaultPropertiesMoveDetails
publicNetworkAccess property to enable or disable resource provider inbound network traffic from public clients 'Disabled'
'Enabled'
redundancySettings The redundancy Settings of a Vault VaultPropertiesRedundancySettings
resourceGuardOperationRequests ResourceGuardOperationRequests on which LAC check will be performed string[]
restoreSettings Restore Settings of the vault RestoreSettings
securitySettings Security Settings of the vault SecuritySettings
upgradeDetails Details for upgrading vault. UpgradeDetails

VaultPropertiesEncryption

Name Description Value
infrastructureEncryption Enabling/Disabling the Double Encryption state 'Disabled'
'Enabled'
kekIdentity The details of the identity used for CMK CmkKekIdentity
keyVaultProperties The properties of the Key Vault which hosts CMK CmkKeyVaultProperties

VaultPropertiesMoveDetails

Name Description Value

VaultPropertiesRedundancySettings

Name Description Value
crossRegionRestore Flag to show if Cross Region Restore is enabled on the Vault or not 'Disabled'
'Enabled'
standardTierStorageRedundancy The storage redundancy setting of a vault 'GeoRedundant'
'Invalid'
'LocallyRedundant'
'ZoneRedundant'