Skip to content

azure-data-lake-storage-configure-backup.md

Latest commit

 

History

History
223 lines (149 loc) · 13 KB

azure-data-lake-storage-configure-backup.md

File metadata and controls

223 lines (149 loc) · 13 KB
title Configure Vaulted Backup for Azure Data Lake Storage using Azure portal, PowerShell, or Azure CLI
description Learn how to configure vaulted backup for Azure Data Lake Storage using Azure portal, PowerShell, or Azure CLI.
ms.topic how-to
ms.service azure-backup
ms.custom
ignite-2025
devx-track-azurepowershell-azurecli, devx-track-azurecli, references_regions
zone_pivot_groups backup-client-portal-powershell-cli
ms.date 11/18/2025
author AbhishekMallick-MS
ms.author v-mallicka

Configure vaulted backup for Azure Data Lake Storage

::: zone pivot="client-portal"

This article describes how to configure vaulted backups for Azure Data Lake Storage using Azure portal.

Prerequisites

Before you configure vaulted backup for Azure Data Lake Storage, ensure the following prerequisites are met:

Note

  • This feature is currently available in specific regions only. See the supported regions.
  • Vaulted backup restores are only possible to a different storage account.

For more information about the supported scenarios, limitations, and availability, see the support matrix.

[!INCLUDE How to configure backup for Azure Data Lake Storage]

Learn how to monitor backup jobs.

::: zone-end

::: zone pivot="client-powershell"

This article describes how to configure vaulted backups for Azure Data Lake Storage using PowerShell.

Prerequisites

Before you configure vaulted backup for Azure Data Lake Storage, ensure that the following prerequisites are met:

Configure vaulted backup for the Azure Data Lake Storage using PowerShell

After the vault and backup policy are created, configure vaulted backup for Azure Data Lake Storage by reviewing the following sections:

  1. Fetch the ARM ID of the storage account containing the Data Lake Storage to be protected
  2. Grant permissions to the Backup vault
  3. Trigger the request for backup configuration

Fetch the ARM ID of the storage account containing the Data Lake Storage to be protected

The Azure Resource Manager (ARM) ID of the storage account is required to configure vaulted backup for Azure Data Lake Storage. This ID identifies the storage account that contains the Data Lake Storage you want to protect. For example, use the storage account PSTestSA in the resource group adlsrg in a different subscription.

To fetch the ARM ID of the storage account, run the following example cmdlet:

$SAId = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/adlsrg/providers/Microsoft.Storage/storageAccounts/PSTestSA"

Grant permissions to the Backup vault on the storage account

The Backup vault requires permissions on the storage account to enable backups on Data Lake Storage present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions.

You need to assign the required permissions via Azure role-based access control (RBAC) to the created vault (represented by vault Managed System Identity (MSI)) and the relevant storage account.

Learn how to grant permissions to the Backup vault using Azure portal for Azure Data Lake Storage.

Trigger the request for vaulted backup configuration

After all the relevant permissions are set, configure Azure Date Lake Storage vaulted backup by running the following cmdlets:

  1. Create a new backup configuration object to specify the set of containers you want to back up.

    To back up all containers, pass the -IncludeAllContainer parameter. For specific containers, pass the list of containers to the -VaultedBackupContainer parameter.

    $backupConfig=New-AzDataProtectionBackupConfigurationClientObject -DatasourceType AzureDataLakeStorage -IncludeAllContainer -StorageAccountResourceGroupName "StorageRG" -StorageAccountName "testpscmd"

  2. Prepare the request by using the relevant vault, policy, storage account, and the backup configuration object you created using the Initialize-AzDataProtectionBackupInstance cmdlet.

    $instance=Initialize-AzDataProtectionBackupInstance -DatasourceType AzureDataLakeStorage -DatasourceLocation $TestBkpVault.Location -PolicyId $adlsBkpPol.Id -DatasourceId $SAId -BackupConfiguration $backupConfig

  3. Submit the request to trigger backup configuration using the New-AzDataProtectionBackupInstance cmdlet.

    New-AzDataProtectionBackupInstance -ResourceGroupName "StorageRG" -VaultName $TestBkpVault.Name -BackupInstance $instance

::: zone-end

::: zone pivot="client-cli"

This article describes how to configure vaulted backups for Azure Data Lake Storage using Azure CLI.

Prerequisites

Before you configure vaulted backup for Azure Data Lake Storage, ensure that the following prerequisites are met:

Configure vaulted backup for the Azure Data Lake Storage using Azure CLI

After the vault and backup policy are created, configure vaulted backup for Azure Data Lake Storage by reviewing the following sections:

  1. Fetch the ARM ID of the storage account containing the Data Lake Storage to be protected
  2. Grant permissions to the Backup vault
  3. Trigger the request for backup configuration

Important

After a storage account is configured for Data Lake Storage backup, a few capabilities, such as change feed and delete lock, are affected. Learn more.

Fetch the ARM ID of the storage account containing the Data Lake Storage to be protected

The Azure Resource Manager (ARM) ID of the storage account is required to configure vaulted backup for Azure Data Lake Storage. This ID identifies the storage account that contains the Data Lake Storage you want to protect. For example, use the storage account CLITestSA in the resource group adlsrg in a different subscription present in the Southeast Asia region.

TO fetch the ARM ID of the storage account, run the following example command:

"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourcegroups/adlsrg/providers/Microsoft.Storage/storageAccounts/CLITestSA"

Grant permissions to the Backup vault on the storage account

The Backup vault requires permissions on the storage account to enable backups on Data Lake Storage present within the storage account. The system-assigned managed identity of the vault is used for assigning such permissions.

You need to assign the required permissions via Azure role-based access control (RBAC) to the created vault (represented by vault Managed System Identity (MSI)) and the relevant storage account.

Learn how to grant permissions to the Backup vault using Azure portal for Azure Data Lake Storage.

Trigger the request for vaulted backup configuration

After all the relevant permissions are set, configure Azure Date Lake Storage vaulted backup by running the following example cmdlets:

  1. Prepare the request by using the relevant vault, policy, storage account, and the backup configuration object you created using the az dataprotection backup-instance initialize command.

    az dataprotection backup-instance initialize --datasource-type AzureDataLakeStorage  -l southeastasia --policy-id "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testBkpVaultRG/providers/Microsoft.DataProtection/backupVaults/TestBkpVault/backupPolicies/AdlsPolicy1" --datasource-id "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/adlsrg/providers/Microsoft.Storage/storageAccounts/CLITestSA" > backup_instance.json

  2. Submit the request to trigger backup configuration using the az dataprotection backup-instance create command.

    az dataprotection backup-instance create -g adlsrg--vault-name TestBkpVault --backup-instance backup_instance.json

    The following example JSON configures an Azure Data Lake Storage backup for a specified storage account with specified policy and container list.

    {
    "properties": {
        "friendlyName": " adlsbackup",
        "dataSourceInfo": {
            "resourceID": "/subscriptions/ xxxxxxx-xxxx-xxxx-xxxx /resourceGroups/adlsrg/providers/Microsoft.Storage/storageAccounts/adlsbackup",
            "resourceUri": "/subscriptions/ xxxxxxx-xxxx-xxxx-xxxx /resourceGroups/adlsrg/providers/Microsoft.Storage/storageAccounts/adlsbackup",
            "datasourceType": "Microsoft.Storage/storageAccounts/adlsBlobServices",
            "resourceName": " adlsbackup",
            "resourceType": "Microsoft.Storage/storageAccounts",
            "resourceLocation": "francesouth",
            "objectType": "Datasource"
        },
        "policyInfo": {
            "policyId": "/subscriptions/ xxxxxxxx-xxxx-xxxx-xxxx/resourceGroups/adlsrg/providers/Microsoft.DataProtection/backupVaults/ TestBkpVault/backupPolicies/AdlsPolicy1",
            "policyParameters": {
                "backupDatasourceParametersList": [
                    {
                        "containersList": [
                            "container7",
                            "container8"
                        ],
                        "objectType": "AdlsBlobBackupDatasourceParameters"
                    }
                ]
            }
        },
        "protectionStatus": {
            "status": "ProtectionConfigured"
        },
        "currentProtectionState": "ProtectionConfigured",
        "provisioningState": "Succeeded",
        "objectType": "BackupInstance"
    },
    "id": "/subscriptions/ xxxxxxxx-xxxx-xxxx-xxxx /resourceGroups/adlsrg/providers/Microsoft.DataProtection/backupVaults/ TestBkpVault/backupInstances/adlsbackup",
    "name": " adlsbackup",
    "type": "Microsoft.DataProtection/backupVaults/backupInstances"
}

::: zone-end

Next steps