Unlocks the critical operation which is protected by the resource guard
-ResourceGroupName <String>
-VaultName <String>
[-SubscriptionId <String>]
[-ResourceGuardOperationRequest <String[]>]
[-ResourceToBeDeleted <String>]
[-Token <String>]
[-SecureToken <SecureString>]
[-DefaultProfile <PSObject>]
Unlocks the critical operation which is protected by the resource guard
Example 1: Unlock critical operation protected by resource guard - delete backup instance
$proxy = Get-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -VaultName $vaultName -SubscriptionId $subscriptionId
$operationRequests = $proxy.ResourceGuardOperationDetail.DefaultResourceRequest
$resourceGuardOperationRequest = $operationRequests | Where-Object { $_ -match "deleteBackupInstanceRequests" }
$token = (Get-AzAccessToken -AsSecureString -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$instances = Get-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest $resourceGuardOperationRequest -ResourceToBeDeleted $instances[0].Id -SecureToken $token
$unlock | fl
Remove-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName -Name $instances[0].Name
Ensure you have a contributor access over resource guard before doing unlock.
Fetch and pass the cross tenant authorization token in case the resource guard is present in a different tenant.
The first command fetches the resource guard mapping between backup vault and the resource guard. The second command fetches the operation requests corresponding to all critical operations protected by resource guard. The third command fetch the operation request corresponding to the operation we want to unlock. The fourth command fetches the access token corresponding to resource guard tenant. The fifth command fetches the backup instance we want to stop protection. The sixth command unlocks the delete backup operation which is protected by the resource guard. Ensure to have contributor access over resource guard before unlock. Finally, we remove the backup instance for which we want to disable protection.
Example 2: Unlock delete backup instance operation with short hand
$token = (Get-AzAccessToken -AsSecureString -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$instances = Get-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest DeleteBackupInstance -ResourceToBeDeleted $instances[0].Id -SecureToken $token
$unlock | fl
Remove-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -VaultName $vaultName -Name $instances[0].Name
This example is faster way (short hand) for Example 1. In this example we show that by just passing the DeleteBackupInstance to ResourceGuardOperationRequest we can perform unlock. we pass the instance ARM Id as the resource to be deleted. Pass access token in case of cross tenant resource guard.
Example 3: Unlock disable MUA operation with short hand
$token = (Get-AzAccessToken -AsSecureString -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token
$proxy = Get-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -VaultName $vaultName -SubscriptionId $subscriptionId
$unlock = Unlock-AzDataProtectionResourceGuardOperation -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vault.Name -ResourceGuardOperationRequest DisableMUA -ResourceToBeDeleted $proxy.Id -SecureToken $token
$unlock | fl
Remove-AzDataProtectionResourceGuardMapping -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vaultName
This example is faster way (short hand) for Example 1. In this example we show that by just passing the DisableMUA to ResourceGuardOperationRequest we can perform unlock. we pass the resource guard mapping ARM Id as the resource to be deleted, this will disable MUA on the backup vault. Pass access token in case of cross tenant resource guard.
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Type: | PSObject |
Aliases: | AzureRMContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Resource Group name of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
List of critical operations which are protected by the resourceGuard and need to be unlocked. Supported values are DeleteBackupInstance, DisableMUA
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
ARM Id of the resource that need to be unlocked for performing critical operation
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -AsSecureString").Token to fetch authorization token for different tenant.
Type: | SecureString |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Subscription Id of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Parameter deprecate. Please use SecureToken instead.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Name of the backup vault
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |