How to Configure Azure Backup for Windows Server 2016
Azure Backup is Microsoft’s cloud-based backup service that protects on-premises Windows Server workloads by storing data in Azure Recovery Services vaults. It provides offsite, encrypted, geo-redundant backup storage without the capital expense of managing tape libraries or remote backup hardware. Azure Backup for Windows Server 2016 is delivered through the Microsoft Azure Recovery Services (MARS) agent, which installs locally and communicates directly with Azure.
This guide covers creating an Azure Recovery Services vault, installing and registering the MARS agent, scheduling backups, and performing restores.
Prerequisites
Before starting, ensure you have an active Azure subscription, administrative access to your Windows Server 2016 machine, and outbound internet connectivity on ports 443. The server does not need to be Azure-joined or domain-joined for Azure Backup to work.
Step 1: Create an Azure Recovery Services Vault
Log into the Azure Portal at portal.azure.com. Search for Recovery Services vaults and click Create. Fill in the subscription, resource group, vault name, and region. Choose a region geographically close to your server for optimal upload performance. Click Review + Create and then Create.
You can also create a vault using Azure CLI:
az login
az group create --name BackupRG --location eastus
az backup vault create --resource-group BackupRG --name MyBackupVault --location eastusStep 2: Download and Install the MARS Agent
In the Azure Portal, open your Recovery Services vault and navigate to Backup. Under Backup Goal, select On-Premises and Files and folders, then click Prepare Infrastructure. Download the MARS agent installer and the vault credentials file—you will need both.
Run the MARS agent installer on your Windows Server 2016 machine. Accept the defaults for installation path and proxy settings unless your environment requires a specific outbound proxy. Complete the installation wizard.
Step 3: Register the Server with the Vault
After installation, the Register Server Wizard opens automatically. If it does not, launch the Microsoft Azure Backup application from the Start menu and click Register Server.
Browse to the vault credentials file downloaded in Step 2. Enter and confirm a passphrase that will encrypt all backup data. Store this passphrase securely—Microsoft cannot recover it. Complete registration. The server now appears in the vault under Protected Servers.
Step 4: Schedule a Backup Job
Open the Microsoft Azure Backup console. Click Schedule Backup to open the Schedule Backup Wizard. Select the files, folders, or volumes to protect. Configure backup frequency (up to three times daily) and retention settings:
Retention policies can be set for daily, weekly, monthly, and yearly backup points. For example, keep daily backups for 30 days, weekly for 12 weeks, and monthly for 12 months. This creates a comprehensive retention ladder without manual management.
Confirm settings and finish the wizard. Azure Backup will begin the initial backup at the scheduled time. The first full backup can take hours depending on data volume and upload speed.
Step 5: Trigger an Immediate Backup
To start an on-demand backup without waiting for the schedule, open the Microsoft Azure Backup console, click Back Up Now, confirm the items to back up, set a retention date for this backup point, and click Back Up. You can also trigger this via PowerShell after importing the module:
$namedContainer = Get-OBContainer
$backupItem = Get-OBItem -Container $namedContainer
Start-OBBackup -BackupItem $backupItemStep 6: Monitor Backup Jobs
In the Azure Portal, open your Recovery Services vault and navigate to Backup Jobs. This view shows all scheduled and on-demand backup jobs with their status, duration, and data transferred. You can configure alert rules to receive email notifications when a backup fails:
az monitor activity-log alert create
--name BackupFailureAlert
--resource-group BackupRG
--scope /subscriptions/{subscription-id}/resourceGroups/BackupRG/providers/Microsoft.RecoveryServices/vaults/MyBackupVault
--condition category=ServiceHealth
--action-group /subscriptions/{subscription-id}/resourceGroups/BackupRG/providers/microsoft.insights/actionGroups/BackupAlertGroupStep 7: Restore Files from Azure Backup
To recover files, open the Microsoft Azure Backup console and click Recover Data. Choose This server, then Files and folders. Select a recovery point from the calendar. Click Mount to mount the backup volume as a local drive letter on the server. Browse the mounted drive using File Explorer and copy the needed files to their original or alternate location. When done, click Unmount in the console to release the cloud volume.
Step 8: Configure Bandwidth Throttling
To prevent backup jobs from saturating your internet connection during business hours, configure throttling in the MARS agent. Open Microsoft Azure Backup, click Change Properties, and select the Throttling tab. Enable throttling and set limits for work and non-work hours:
# Example: Set throttle via registry (advanced)
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows Azure BackupConfig" -Name "WorkHoursThrottleRate" -Value 512
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows Azure BackupConfig" -Name "NonWorkHoursThrottleRate" -Value 2048Best Practices
Store the encryption passphrase in a password manager or physical safe—loss of this passphrase makes recovery impossible. Enable soft-delete on the vault to protect backup data from accidental or malicious deletion. Use geo-redundant storage (GRS) for the vault to replicate data to a paired Azure region. Test restores at least quarterly to confirm the backup chain is intact. Combine Azure Backup with on-premises Windows Server Backup for a layered, 3-2-1 backup strategy.
