Unlock-AzDataProtectionResourceGuardOperation
Unlocks the critical operation which is protected by the resource guard
Syntax
Unlock-AzDataProtectionResourceGuardOperation
-ResourceGroupName <String>
-VaultName <String>
[-SubscriptionId <String>]
[-ResourceGuardOperationRequest <String[]>]
[-ResourceToBeDeleted <String>]
[-Token <String>]
[-SecureToken <SecureString>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Unlocks the critical operation which is protected by the resource guard
Examples
Example 1: Unlock critical operation protected by resource guard - delete backup instance
$proxy = Get-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -VaultName $vaultName -SubscriptionId $subscriptionId
$operationRequests = $proxy.ResourceGuardOperationDetail.DefaultResourceRequest
$resourceGuardOperationRequest = $operationRequests | Where-Object { $_ -match "deleteBackupInstanceRequests" }
$token = (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$instances = Get-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest $resourceGuardOperationRequest -ResourceToBeDeleted $instances[0].Id -Token $token
$unlock | fl
Remove-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName -Name $instances[0].Name
2023-08-28T14:29:17.3982762Z
Ensure you have a contributor access over resource guard before doing unlock.
Fetch and pass the cross tenant authorization token in case the resource guard is present in a different tenant.
The first command fetches the resource guard mapping between backup vault and the resource guard. The second command fetches the operation requests corresponding to all critical operations protected by resource guard. The third command fetch the operation request corresponding to the operation we want to unlock. The fourth command fetches the access token corresponding to resource guard tenant. The fifth command fetches the backup instance we want to stop protection. The sixth command unlocks the delete backup operation which is protected by the resource guard. Ensure to have contributor access over resource guard before unlock. Finally, we remove the backup instance for which we want to disable protection.
Example 2: Unlock delete backup instance operation with short hand
$token = (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$instances = Get-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest DeleteBackupInstance -ResourceToBeDeleted $instances[0].Id -Token $token
$unlock | fl
Remove-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName -Name $instances[0].Name
2023-08-28T14:29:17.3982762Z
This example is faster way (short hand) for Example 1. In this example we show that by just passing the DeleteBackupInstance to ResourceGuardOperationRequest we can perform unlock. we pass the instance ARM Id as the resource to be deleted. Pass access token in case of cross tenant resource guard.
Example 3: Unlock disable MUA operation with short hand
$token = (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$proxy = Get-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -VaultName $vaultName -SubscriptionId $subscriptionId
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest DisableMUA -ResourceToBeDeleted $proxy.Id -Token $token
$unlock | fl
Remove-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vaultName
2023-08-28T14:29:17.3982762Z
This example is faster way (short hand) for Example 1. In this example we show that by just passing the DisableMUA to ResourceGuardOperationRequest we can perform unlock. we pass the resource guard mapping ARM Id as the resource to be deleted, this will disable MUA on the backup vault. Pass access token in case of cross tenant resource guard.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
Type: | PSObject |
Aliases: | AzureRMContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceGroupName
Resource Group name of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceGuardOperationRequest
List of critical operations which are protected by the resourceGuard and need to be unlocked. Supported values are DeleteBackupInstance, DisableMUA
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceToBeDeleted
ARM Id of the resource that need to be unlocked for performing critical operation
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SecureToken
Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -AsSecureString").Token to fetch authorization token for different tenant.
Type: | SecureString |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SubscriptionId
Subscription Id of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Token
Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -AsSecureString").Token to fetch secure authorization token for different tenant and then convert to string using ConvertFrom-SecureString cmdlet.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-VaultName
Name of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Outputs
Azure PowerShell