How to Configure Azure Backup for Windows Server 2025

How to Configure Azure Backup for Windows Server 2025

Azure Backup extends your Windows Server 2025 data protection strategy to the cloud, giving you offsite backup storage without managing physical tape drives or remote data centers. Using the Microsoft Azure Recovery Services (MARS) agent, you can back up files, folders, and system state directly to a Recovery Services Vault in Azure, with retention policies that span years. This guide covers every step from creating the vault in Azure through configuring schedules, running your first backup, and performing a granular file recovery — all with a strong emphasis on security and operational best practices relevant to Windows Server 2025 deployments.

Prerequisites

• An active Microsoft Azure subscription
• Windows Server 2025 with outbound HTTPS access to Azure endpoints (TCP 443)
• Administrator credentials on the Windows Server 2025 machine
• Azure CLI or access to the Azure Portal for vault creation and monitoring
• A secure location to store the passphrase generated during agent registration (this is critical — losing it means losing access to your backups)
• At least 5 GB of free local cache space (default: C:Program FilesMicrosoft Azure Recovery Services AgentScratch)

Step 1: Create a Recovery Services Vault in Azure

The Recovery Services Vault is the cloud container that stores your backup data and defines the geo-redundancy setting for your backups. Create it in the Azure region closest to your Windows Server to minimize upload latency. Use the Azure CLI or Azure Portal:

# Using Azure CLI (run from PowerShell with Azure CLI installed, or Azure Cloud Shell)
az login

# Create a resource group for backup resources
az group create --name rg-backup-prod --location eastus

# Create the Recovery Services Vault with geo-redundant storage (recommended)
az backup vault create `
    --resource-group rg-backup-prod `
    --name rsv-ws2025-prod `
    --location eastus

# Set storage redundancy (GeoRedundant = default, LocallyRedundant for cost savings in non-critical scenarios)
az backup vault backup-properties set `
    --resource-group rg-backup-prod `
    --name rsv-ws2025-prod `
    --backup-storage-redundancy GeoRedundant

# Enable soft delete (protects against accidental or malicious backup deletion — highly recommended)
az backup vault update `
    --resource-group rg-backup-prod `
    --name rsv-ws2025-prod `
    --soft-delete-feature-state Enable

Geo-redundant storage (GRS) replicates your backup data to a paired Azure region, giving you protection against regional outages. For less critical workloads, locally redundant storage (LRS) reduces cost while still providing cloud offsite protection.

Step 2: Download and Install the MARS Agent

The Microsoft Azure Recovery Services agent is the software component installed on your Windows Server 2025 machine that handles data transfer, encryption, and scheduling. Download it from the Azure Portal or directly via PowerShell:

# Download the MARS agent installer using PowerShell
$MARSInstallerUrl = "https://aka.ms/azurebackup_agent"
$InstallerPath = "$env:TEMPMARSAgentInstaller.exe"

Invoke-WebRequest -Uri $MARSInstallerUrl -OutFile $InstallerPath -UseBasicParsing

# Install silently with default settings
Start-Process -FilePath $InstallerPath -ArgumentList "/q" -Wait

# Verify installation
Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows Azure Backup" | Select-Object DisplayName, DisplayVersion

After installation, the Microsoft Azure Backup application appears in the Start menu. All subsequent configuration can be done through this GUI or via the MARS agent PowerShell module (MSOnlineBackup), which is installed automatically with the agent.

Step 3: Register the Server with the Recovery Services Vault

Registration creates a secure trust relationship between your server and the vault. During registration you generate a passphrase that encrypts all backup data before it leaves your server — Azure never has access to this passphrase, making it a zero-knowledge encryption model:

# Download the vault credentials file from Azure Portal
# In the Azure Portal: Recovery Services Vault → Overview → Download → Download credentials

# Register the server using the vault credentials file and a strong passphrase
# IMPORTANT: Store the passphrase in a secure location (password manager, physical safe)
# Losing this passphrase means losing access to ALL backups in this vault

$VaultCredFile = "C:Temprsv-ws2025-prod_Sun May 17 2026.VaultCredentials"
$Passphrase = "Y0urStr0ng32CharOrL0ngerPassphrase!"  # Must be 16+ characters

# Register via PowerShell (MSOnlineBackup module)
$SecurePassphrase = ConvertTo-SecureString -String $Passphrase -AsPlainText -Force
Start-OBRegistration -VaultCredentials $VaultCredFile -Confirm:$false

# Set the encryption passphrase
Set-OBMachineSetting -EncryptionPassphrase $SecurePassphrase

# Verify registration status
Get-OBMachineSetting

After registration, the server appears in the Azure Portal under the Recovery Services Vault → Backup Items → Azure Backup Agent section. Confirm the server is listed as “Healthy” before proceeding with schedule configuration.

Step 4: Configure the Backup Schedule and Retention Policy

Azure Backup through the MARS agent supports up to three scheduled backups per day. Retention policies can keep daily backups for up to 180 days, weekly for 104 weeks, monthly for 60 months, and yearly for 10 years:

# Create a new backup policy object
$Policy = New-OBPolicy

# Configure the backup schedule — daily at 02:00, 08:00, and 20:00
$Schedule = New-OBSchedule `
    -DaysOfWeek Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday `
    -TimesOfDay 02:00, 08:00, 20:00

Set-OBSchedule -Policy $Policy -Schedule $Schedule

# Configure retention policy
$RetentionPolicy = New-OBRetentionPolicy `
    -RetentionDays 30 `                   # Daily backups kept 30 days
    -RetentionWeeklyPolicy `
    -WeekDaysOfWeek Sunday `
    -WeekTimesOfDay 02:00 `
    -RetentionWeeks 12 `                  # Weekly backups kept 12 weeks
    -RetentionMonthlyPolicy `
    -MonthDaysOfMonth 1 `
    -MonthTimesOfDay 02:00 `
    -RetentionMonths 12 `                 # Monthly backups kept 12 months
    -RetentionYearlyPolicy `
    -YearMonthsOfYear January `
    -YearDaysOfMonth 1 `
    -YearTimesOfDay 02:00 `
    -RetentionYears 5                     # Yearly backups kept 5 years

Set-OBRetentionPolicy -Policy $Policy -RetentionPolicy $RetentionPolicy

# Specify folders and volumes to back up
$FileSpec = New-OBFileSpec -FileSpec "D:Data", "D:Projects", "C:Users"

# Optionally exclude specific subfolders or file types
$ExcludeSpec = New-OBFileSpec -FileSpec "D:DataTemp", "*.tmp", "*.log" -Exclude

Add-OBFileSpec -Policy $Policy -FileSpec $FileSpec
Add-OBFileSpec -Policy $Policy -FileSpec $ExcludeSpec

# Apply the policy to make it active
Set-OBPolicy -Policy $Policy

# Verify the complete policy configuration
Get-OBPolicy | Format-List

Step 5: Trigger the First On-Demand Backup

The first backup is always a full backup and may take several hours depending on data size and upload speed. Trigger it manually to confirm connectivity and encryption are working correctly before relying on the scheduled runs:

# Start an on-demand backup immediately using the active policy
$Policy = Get-OBPolicy
Start-OBBackup -Policy $Policy -Async

# Check the status of the running backup job
Get-OBJob -Previous 1

# Monitor progress (poll every 30 seconds)
do {
    $Job = Get-OBJob -Previous 1
    Write-Host "$(Get-Date -Format 'HH:mm:ss') - Status: $($Job.JobStatus) | Transferred: $($Job.UploadedBytes) bytes"
    Start-Sleep -Seconds 30
} while ($Job.JobStatus -eq "InProgress")

During the initial backup, the MARS agent performs block-level deduplication and compresses data before encrypting it with your passphrase using AES-256. Only changed blocks are uploaded in subsequent incremental backups, significantly reducing bandwidth usage after the first run.

Step 6: Monitor Backup Jobs in the Azure Portal

After backups are running, monitor job health through both the Azure Portal and local PowerShell. In the Azure Portal navigate to: Recovery Services Vault → Monitoring → Backup Jobs. You can filter by time range, status (Completed, Failed, In Progress), and workload type.

# Check backup job history on the local server
Get-OBJob -Previous 7 | Select-Object StartTime, EndTime, JobStatus, ErrorDescription | Format-Table -AutoSize

# Check the last backup summary
Get-OBSummary

# View alert history
Get-OBAlerts

Configure Azure Monitor alerts on the Recovery Services Vault to receive email notifications when backup jobs fail. In the Azure Portal: Recovery Services Vault → Alerts → Create alert rule → Signal: Backup Health Events.

Step 7: Restore Files and Folders

Azure Backup through the MARS agent supports two recovery modes: instant restore (from recent recovery points stored locally) and standard restore from the Azure vault. For file-level recovery, use the Recover Data wizard in the MARS agent GUI or PowerShell:

# Start an interactive recovery session (opens GUI Recover Data wizard)
Start-OBRecovery

# Programmatic recovery — list available recovery points
$Policy = Get-OBPolicy
$RecoveryPoints = Get-OBRecoverableSource -Policy $Policy
$RecoveryPoint = Get-OBRecoverableItem -Source $RecoveryPoints[0] -FromRecoveryPoint (Get-Date).AddDays(-1)

# Restore to original location
Start-OBRecovery -RecoverableItem $RecoveryPoint -DestinationPath "D:Data" -OverwriteType Overwrite

# Restore to alternate server:
# 1. Install MARS agent on the alternate server
# 2. Use "Register" with the same vault credentials and passphrase
# 3. In the Recover Data wizard, choose "Another server" and enter passphrase

Conclusion

Configuring Azure Backup for Windows Server 2025 provides an enterprise-grade, offsite data protection solution that requires no tape management, no secondary data center, and no complex replication infrastructure. The MARS agent’s zero-knowledge encryption model ensures your data is secure both in transit and at rest in Azure. With daily, weekly, monthly, and yearly retention policies, you can meet most regulatory compliance requirements for data retention. The most critical operational step is securely storing your encryption passphrase — treat it with the same care as your most sensitive passwords, because without it, your Azure backups are permanently inaccessible. Test a full restore to an alternate server at least quarterly to validate your recovery capability.