Introduction to Azure Backup for Windows Server 2022
Azure Backup is Microsoft’s cloud-native backup service that allows you to protect Windows Server workloads and store backup data in Microsoft Azure. For Windows Server 2022, Azure Backup is delivered via the Microsoft Azure Recovery Services (MARS) agent, a lightweight software component installed directly on the server. Azure Backup eliminates the need for on-premises backup infrastructure, providing offsite backup storage with enterprise-grade security, geo-redundancy, and long-term retention at predictable costs.
The MARS agent supports backing up files and folders, system state, and full machine state (Bare Metal Recovery) directly to an Azure Recovery Services Vault. It is designed for protecting physical servers and virtual machines that are not hosted in Azure itself (for Azure VMs, the Azure Backup extension is used instead). This guide covers everything from creating the vault to performing a full restore from the cloud.
Creating an Azure Recovery Services Vault
Before installing the MARS agent, you must have a Recovery Services Vault in Azure. This is the container that stores all backup data and policies.
Using Azure CLI:
# Login to Azure
az login
# Create a resource group for backup (if needed)
az group create --name BackupRG --location eastus
# Create the Recovery Services Vault
az backup vault create --name WS2022BackupVault --resource-group BackupRG --location eastusUsing Azure PowerShell module:
Connect-AzAccount
New-AzResourceGroup -Name "BackupRG" -Location "EastUS"
New-AzRecoveryServicesVault -Name "WS2022BackupVault" -ResourceGroupName "BackupRG" -Location "EastUS"After creating the vault, set the storage replication type. By default it is Geo-Redundant Storage (GRS), which replicates your data to a secondary Azure region. If you want to use Zone-Redundant Storage (ZRS) or Locally Redundant Storage (LRS) for lower cost:
$vault = Get-AzRecoveryServicesVault -Name "WS2022BackupVault" -ResourceGroupName "BackupRG"
Set-AzRecoveryServicesBackupProperty -Vault $vault -BackupStorageRedundancy GeoRedundantImportant: Storage replication type cannot be changed after any item is registered to the vault. Set this before installing the agent.
Downloading and Installing the MARS Agent
The MARS agent installer is downloaded directly from your Recovery Services Vault in the Azure portal, or via the direct download URL that Microsoft maintains.
From the Azure portal: Navigate to your Recovery Services Vault > Getting Started > Backup. Under “Where is your workload running?” select On-premises. Under “What do you want to back up?” select Files and folders and/or System State. Click Prepare Infrastructure to access the agent download link and the vault credentials file (.VaultCredentials).
Download both files to your Windows Server 2022 system:
# Download MARS agent using PowerShell (URL from Azure portal)
$agentUrl = "https://aka.ms/azurebackup_agent"
Invoke-WebRequest -Uri $agentUrl -OutFile "C:TempMARSagentinstaller.exe"Run the installer with elevated privileges. The installation wizard guides you through proxy settings (if your server accesses Azure through a proxy) and the installation path. Accept defaults unless your environment requires a custom proxy:
C:TempMARSagentinstaller.exe /q /nuThe /q flag runs silently, /nu skips the update check during installation. After installation, the Microsoft Azure Recovery Services Agent console appears under Start menu or can be opened from the system tray.
Registering the Server with the Recovery Services Vault
After installation, you must register the server with the vault using the vault credentials file downloaded from the Azure portal. This credentials file is valid for 10 days after download.
During the MARS agent registration wizard:
1. Open the MARS agent console (Microsoft Azure Recovery Services Agent).
2. In the Actions pane, click Register Server.
3. On the Vault Identification page, browse to the downloaded .VaultCredentials file and click Next.
4. On the Encryption Setting page, you must set a passphrase. This is a critical security step — the passphrase is used to encrypt all backup data before transmission to Azure. Microsoft does not store this passphrase. If you lose it, you permanently lose access to your backup data.
# Generate a cryptographically strong passphrase suggestion (PowerShell)
Add-Type -AssemblyName System.Web
[System.Web.Security.Membership]::GeneratePassword(20, 4)5. Save the passphrase to a secure location — a password manager, Azure Key Vault, or printed and stored physically in a fireproof safe. Type it into the passphrase fields (the agent does not accept paste in all UI versions; use the file option to store it).
6. Click Register. The agent contacts Azure, validates the vault credentials, and registers the server. You will see a success confirmation page.
Configuring Backup Schedule and Retention Policy
Once registered, configure what to back up and when. In the MARS agent console, click Schedule Backup in the Actions pane to launch the Schedule Backup Wizard.
Step 1 — Select items to back up: Click Add Items and navigate to select specific folders, drives, or choose System State. For comprehensive protection, add C: (with exclusions for temp folders if desired) and select Include system state.
Step 2 — Specify backup schedule: MARS agent supports up to three backup times per day. For compliance, a common configuration is:
Daily backups: Once per day at 11:00 PM (or before business hours end)
Step 3 — Select retention policy: This is where Azure Backup’s GFS (Grandfather-Father-Son) retention shines. Configure the following tiers:
Daily retention: 30 days (keeps each nightly backup for 30 days)
Weekly retention: 12 weeks (keeps each Sunday's backup for 12 weeks)
Monthly retention: 12 months (keeps month-end backup for 12 months)
Yearly retention: 3 years (keeps year-end backup for 3 years)This GFS scheme means you can recover any day’s data from the last month, any week’s data from the last quarter, any month’s data from the last year, and annual snapshots for multi-year retention — all from a single backup schedule.
Step 4 — Choose initial backup type: For first backups of large datasets, select Transfer backup over the network (starts backing up immediately) or use Offline Backup (Azure Import/Export Service) for datasets over a few hundred gigabytes to avoid lengthy initial upload times.
System State Backup with MARS Agent
System state backup captures the same components as Windows Server Backup’s system state: Active Directory, registry, SYSVOL, boot files, and COM+ database. This is particularly important for domain controllers.
To include system state in MARS agent backups, during the Schedule Backup Wizard when selecting items to back up, scroll down and check the System State item in the item selector. Note the following requirements:
System state backups require more storage than file-only backups (typically 1-8 GB per backup depending on AD size). The Windows Server Backup feature must be installed on the server even when using MARS agent for system state, because MARS leverages WSB internally for system state capture.
# Ensure WSB is installed (required for MARS system state backup)
Install-WindowsFeature -Name Windows-Server-BackupSystem state backups to Azure via MARS agent are not supported for servers running Active Directory Certificate Services in some configurations. Always test recovery in a lab environment before relying on it in production.
Restoring Files from Azure Backup
File-level restore from Azure is performed directly through the MARS agent console. Open the agent, click Recover Data in the Actions pane, and the Recovery Wizard launches.
Recovery mode — This server: Restores to the same server that was backed up. Use this for accidental file deletion or corruption.
Recovery mode — Another server: Allows restoring files to a different server. You must provide the vault credentials file and the encryption passphrase used at registration time.
In the wizard, select the recovery point date and time, browse the backup catalog to select specific files or folders, and choose a recovery destination (original location or alternate location). For non-disruptive recovery, always choose an alternate location first, verify the recovered data, then move it to the original location manually.
For scripted/automated recovery operations, use PowerShell (requires Az.RecoveryServices module):
Connect-AzAccount
$vault = Get-AzRecoveryServicesVault -Name "WS2022BackupVault" -ResourceGroupName "BackupRG"
Set-AzRecoveryServicesVaultContext -Vault $vault
# Get the protected item (the server's backup container)
$container = Get-AzRecoveryServicesBackupContainer -ContainerType Windows -BackupManagementType MAB -VaultId $vault.ID -FriendlyName "WS2022-DC01"
$item = Get-AzRecoveryServicesBackupItem -Container $container -WorkloadType FileFolder -VaultId $vault.ID
# Get available recovery points
$recoveryPoints = Get-AzRecoveryServicesBackupRecoveryPoint -Item $item -VaultId $vault.ID -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)
$recoveryPoints | Select-Object RecoveryPointId, RecoveryPointTime, RecoveryPointType | Format-TableRestoring System State from Azure Backup
System state restore from Azure Backup via MARS is performed similarly to file restore, but requires additional steps for domain controllers (authoritative vs non-authoritative restore).
For a non-authoritative restore of a domain controller (most common — restores AD data but then syncs with other DCs in the domain):
1. Boot the server normally (not DSRM) for MARS agent to connect to Azure.
2. Open MARS agent console > Recover Data > This server > System State.
3. Select the recovery point and click Next.
4. The agent downloads and restores the system state. The server will require a reboot to complete the restore.
For an authoritative restore (required when you need to restore accidentally deleted AD objects and prevent them from being overwritten by replication), boot into Directory Services Restore Mode (DSRM) by pressing F8 during boot, perform the system state restore, then run ntdsutil to mark objects as authoritative before restarting:
ntdsutil "activate instance ntds" "authoritative restore" "restore subtree DC=corp,DC=example,DC=com" quit quitMARS Agent Passphrase Security
The encryption passphrase is the single most important security element in Azure Backup with MARS agent. All backup data is encrypted client-side using AES-256 before it leaves your server. Azure stores only the encrypted ciphertext — Microsoft cannot decrypt or access your backup data.
Passphrase requirements: minimum 16 characters. Best practice is 20+ characters with mixed case, numbers, and symbols. Store the passphrase in at minimum two separate secure locations: one digital (password manager, Azure Key Vault with restricted access) and one physical (printed, in fireproof safe).
To change the passphrase (for security rotation or if a team member with knowledge leaves):
In the MARS agent console, click Change Properties in the Actions pane, select the Encryption tab, enter the current passphrase, and set the new one. All future backups use the new passphrase. Note that existing recovery points remain accessible only with the passphrase that was active when they were created — you may need to retain both old and new passphrases during a transition period until old recovery points age out of retention.
Azure Backup Pricing Overview
Azure Backup pricing for MARS agent has two cost components: protected instance fee and storage cost.
Protected instance fee: Charged per server registered to the vault. As of current Azure pricing, this is approximately $10 USD/month per instance for servers with under 500 GB of backup data, scaling for larger servers. Check the Azure pricing calculator for current rates in your region.
Storage cost: Based on actual storage consumed in the vault. GRS (Geo-Redundant) storage costs approximately $0.05/GB/month. LRS (Locally Redundant) is cheaper at roughly $0.024/GB/month. With GRS, data is replicated to a paired Azure region, providing protection against regional disasters.
With GFS retention configured as shown above (daily 30d / weekly 12w / monthly 12m / yearly 3y), total storage consumption is typically 2-4x the size of your source data depending on change rate. For a 100 GB server with moderate data change, expect 200-400 GB in Azure storage, costing $10-20/month for storage alone.
Enabling Soft Delete
Soft delete is a critical security feature that protects your backup data from accidental or malicious deletion. When enabled, deleted backup data is retained for 14 additional days before permanent removal, giving you a recovery window even if someone deletes backup items or the vault.
Soft delete is enabled by default on new vaults. Verify and manage it:
$vault = Get-AzRecoveryServicesVault -Name "WS2022BackupVault" -ResourceGroupName "BackupRG"
# Check soft delete status
Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID | Select-Object SoftDeleteFeatureState
# Enable soft delete (if disabled)
Set-AzRecoveryServicesVaultProperty -VaultId $vault.ID -SoftDeleteFeatureState EnableWith soft delete enabled, even if an attacker compromises an Azure subscription and attempts to delete backup items, the data survives for 14 days. This is why you should also configure Azure RBAC carefully — limit who has the Backup Contributor or higher role on the vault.
Backup Reports in Azure
Azure Backup provides built-in reporting via Azure Monitor Logs (Log Analytics) and Azure Backup Reports (Power BI-based). To enable diagnostic logging for your vault:
# Create a Log Analytics workspace
$workspace = New-AzOperationalInsightsWorkspace -ResourceGroupName "BackupRG" -Name "BackupLogs-WS2022" -Location "EastUS" -Sku PerGB2018
# Enable diagnostics on the vault
$vault = Get-AzRecoveryServicesVault -Name "WS2022BackupVault" -ResourceGroupName "BackupRG"
Set-AzDiagnosticSetting -ResourceId $vault.ID -WorkspaceId $workspace.ResourceId -Enabled $true -Category "AzureBackupReport","CoreAzureBackup","AddonAzureBackupJobs","AddonAzureBackupAlerts","AddonAzureBackupPolicy","AddonAzureBackupStorage","AddonAzureBackupProtectedInstance"Once diagnostic data flows to Log Analytics, query it with Kusto Query Language (KQL):
// Find all failed backup jobs in last 7 days
AddonAzureBackupJobs
| where TimeGenerated > ago(7d)
| where JobStatus == "Failed"
| project TimeGenerated, BackupItemFriendlyName, JobOperation, JobFailureCode, JobStartDateTime
| order by TimeGenerated descAzure Backup Reports in the Azure portal (under the vault’s Reports blade) provides pre-built dashboards showing storage trend, backup health over time, active alerts, and compliance summaries across multiple vaults — useful for organizations with many servers registered to different vaults.
