Articles

Configure Azure Backup Vault for VM and Storage (2026)

April 16, 2026 3 min read

An Azure Backup Vault is how Azure keeps track of what you want to back up and where it stores those backups.

Let’s see it in action. Imagine you have a virtual machine (VM) in Azure that you need to back up. You also have some data in Azure Blob Storage that needs protection.

First, you need a place to store the backups. That’s your Azure Backup Vault.

# Create a resource group if you don't have one
az group create --name MyBackupResourceGroup --location eastus

# Create the Recovery Services vault
az backup vault create --resource-group MyBackupResourceGroup --name MyRecoveryServicesVault --location eastus

Now, you need to tell the vault what to protect. For a VM, it’s straightforward.

# Get the ID of the VM you want to back up
VM_ID=$(az vm show --resource-group MyVMResourceGroup --name MyVM --query id -o tsv)

# Enable backup for the VM
az backup protection enable-for-vm \
  --resource-group MyVMResourceGroup \
  --vault-name MyRecoveryServicesVault \
  --vm $VM_ID \
  --policy-name MyVMBackupPolicy

Behind the scenes, az backup protection enable-for-vm does a few things. It creates a backup policy (if MyVMBackupPolicy doesn’t exist) that defines the schedule and retention for your backups. It then registers the VM with the Recovery Services vault, allowing the vault to manage its backups.

For Azure Blob Storage, it’s a bit different. You back up a storage account, not individual blobs.

# Get the ID of the storage account
STORAGE_ACCOUNT_ID=$(az storage account show --resource-group MyStorageResourceGroup --name MyStorageAccount --query id -o tsv)

# Enable backup for the storage account
az backup protection enable-for-storage-account \
  --resource-group MyStorageResourceGroup \
  --vault-name MyRecoveryServicesVault \
  --storage-account $STORAGE_ACCOUNT_ID \
  --policy-name MyStorageBackupPolicy

This command registers the storage account with the vault and associates it with a backup policy. The policy for storage accounts defines the backup frequency and retention.

The core problem Azure Backup Vault solves is providing a centralized, managed service for data protection across various Azure services, abstracting away the complexities of storage, scheduling, and retention management. It acts as a single pane of glass for your backup strategy.

You control the behavior of your backups primarily through backup policies. These policies are separate resources that you can create and associate with your protected items (like VMs or storage accounts). A policy defines:

  • Backup Schedule: How often backups are taken (e.g., daily at 10 PM).
  • Retention Range: How long backups are kept (e.g., daily backups kept for 30 days, monthly backups kept for 12 months).
  • Backup Type: Full or incremental (though for many services, this is managed by Azure).

You can create and manage policies using the Azure CLI:

# Create a backup policy for VMs
az backup policy create \
  --resource-group MyBackupResourceGroup \
  --vault-name MyRecoveryServicesVault \
  --name MyVMBackupPolicy \
  --workload-type VM \
  --schedule "daily 10:00" \
  --retention "30d"

# Create a backup policy for storage accounts
az backup policy create \
  --resource-group MyBackupResourceGroup \
  --vault-name MyRecoveryServicesVault \
  --name MyStorageBackupPolicy \
  --workload-type Storage \
  --schedule "daily 02:00" \
  --retention "90d"

The surprising thing is how Azure Backup Vault handles the actual backup data for VMs. It doesn’t just take a snapshot of your VM’s disks. Instead, it leverages Azure’s snapshot capabilities but then orchestrates the transfer of these snapshots to the vault’s underlying storage, which is typically Azure Blob Storage managed by the vault itself. This process ensures that your backups are stored independently of the original VM and its disks, providing resilience.

When you enable backup for a storage account, Azure Backup Vault doesn’t continuously mirror your data. Instead, it takes snapshots of your blobs at the defined schedule. These snapshots are point-in-time copies of your blob data, allowing you to restore individual blobs or an entire container to a previous state. The vault manages the lifecycle of these snapshots, retaining them according to your policy.

The next thing you’ll likely grapple with is performing restores, which is the whole point of having backups in the first place.

Want structured learning?

Take the full Azure course →