| title | Quickstart - Configure vaulted backup for Azure Data Lake Storage using ARM or Bicep template | ||
|---|---|---|---|
| description | Learn how to configure vaulted backup for Azure Data Lake Storage using ARM or Bicep template. | ||
| ms.custom |
|
||
| zone_pivot_groups | backup-client-template-arm-bicep | ||
| ms.topic | tutorial | ||
| ms.date | 11/18/2025 | ||
| ms.service | azure-backup | ||
| author | AbhishekMallick-MS | ||
| ms.author | v-mallicka |
::: zone pivot="client-template-arm"
This quickstart describes how to configure vaulted backup for Azure Data Lake Storage using an Azure Resource Manager (ARM) template.
Before you back up Azure Data Lake Storage data, review the supported scenarios for Azure Data Lake Storage backup.
The following example ARM template allows you to configure vaulted backup for two containers in a storage account with a backup policy. This backup policy runs daily and retains backups for 30 days, as well as weekly, monthly, and yearly backups for longer retention.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.170.59819",
"templateHash": "16621072649356248018"
}
},
"parameters": {
"vaultName": {
"type": "string",
"defaultValue": "[format('vault{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Name of the Vault"
}
},
"vaultStorageRedundancy": {
"type": "string",
"defaultValue": "GeoRedundant",
"allowedValues": [
"LocallyRedundant",
"GeoRedundant"
],
"metadata": {
"description": "Change Vault Storage Type (not allowed if the vault has registered backups)"
}
},
"backupPolicyName": {
"type": "string",
"defaultValue": "[format('policy{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Name of the Backup Policy"
}
},
"vaultTierDefaultRetentionInDays": {
"type": "int",
"defaultValue": 30,
"minValue": 7,
"maxValue": 3650,
"metadata": {
"description": "Vault tier default backup retention duration in days"
}
},
"vaultTierWeeklyRetentionInWeeks": {
"type": "int",
"defaultValue": 30,
"minValue": 4,
"maxValue": 521,
"metadata": {
"description": "Vault tier weekly backup retention duration in weeks"
}
},
"vaultTierMonthlyRetentionInMonths": {
"type": "int",
"defaultValue": 30,
"minValue": 5,
"maxValue": 116,
"metadata": {
"description": "Vault tier monthly backup retention duration in months"
}
},
"vaultTierYearlyRetentionInYears": {
"type": "int",
"defaultValue": 10,
"minValue": 1,
"maxValue": 10,
"metadata": {
"description": "Vault tier yearly backup retention duration in years"
}
},
"vaultTierDailyBackupScheduleTime": {
"type": "string",
"defaultValue": "06:00",
"metadata": {
"description": "Vault tier daily backup schedule time"
}
},
"storageAccountName": {
"type": "string",
"defaultValue": "[format('store{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Name of the Storage Account"
}
},
"containerList": {
"type": "array",
"defaultValue": [
"container1",
"container2"
],
"metadata": {
"description": "List of the containers to be protected"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources"
}
}
},
"variables": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')]",
"dataSourceType": "Microsoft.Storage/storageAccounts/adlsBlobServices",
"resourceType": "Microsoft.Storage/storageAccounts",
"vaultTierDefaultRetentionDuration": "[format('P{0}D', parameters('vaultTierDefaultRetentionInDays'))]",
"vaultTierWeeklyRetentionDuration": "[format('P{0}W', parameters('vaultTierWeeklyRetentionInWeeks'))]",
"vaultTierMonthlyRetentionDuration": "[format('P{0}M', parameters('vaultTierMonthlyRetentionInMonths'))]",
"vaultTierYearlyRetentionDuration": "[format('P{0}Y', parameters('vaultTierYearlyRetentionInYears'))]",
"repeatingTimeIntervals": "[format('R/2025-10-10T{0}:00+00:00/P1D', parameters('vaultTierDailyBackupScheduleTime'))]"
},
"resources": [
{
"type": "Microsoft.DataProtection/backupVaults",
"apiVersion": "2025-07-01",
"name": "[parameters('vaultName')]",
"location": "[parameters('location')]",
"identity": {
"type": "systemAssigned"
},
"properties": {
"storageSettings": [
{
"datastoreType": "VaultStore",
"type": "[parameters('vaultStorageRedundancy')]"
}
]
}
},
{
"type": "Microsoft.DataProtection/backupVaults/backupPolicies",
"apiVersion": "2025-07-01",
"name": "[format('{0}/{1}', parameters('vaultName'), parameters('backupPolicyName'))]",
"properties": {
"policyRules": [
{
"name": "Yearly",
"objectType": "AzureRetentionRule",
"isDefault": false,
"lifecycles": [
{
"deleteAfter": {
"duration": "[variables('vaultTierYearlyRetentionDuration')]",
"objectType": "AbsoluteDeleteOption"
},
"sourceDataStore": {
"dataStoreType": "VaultStore",
"objectType": "DataStoreInfoBase"
},
"targetDataStoreCopySettings": []
}
]
},
{
"name": "Monthly",
"objectType": "AzureRetentionRule",
"isDefault": false,
"lifecycles": [
{
"deleteAfter": {
"duration": "[variables('vaultTierMonthlyRetentionDuration')]",
"objectType": "AbsoluteDeleteOption"
},
"sourceDataStore": {
"dataStoreType": "VaultStore",
"objectType": "DataStoreInfoBase"
},
"targetDataStoreCopySettings": []
}
]
},
{
"name": "Weekly",
"objectType": "AzureRetentionRule",
"isDefault": false,
"lifecycles": [
{
"deleteAfter": {
"duration": "[variables('vaultTierWeeklyRetentionDuration')]",
"objectType": "AbsoluteDeleteOption"
},
"sourceDataStore": {
"dataStoreType": "VaultStore",
"objectType": "DataStoreInfoBase"
},
"targetDataStoreCopySettings": []
}
]
},
{
"name": "Default",
"objectType": "AzureRetentionRule",
"isDefault": true,
"lifecycles": [
{
"deleteAfter": {
"duration": "[variables('vaultTierDefaultRetentionDuration')]",
"objectType": "AbsoluteDeleteOption"
},
"sourceDataStore": {
"dataStoreType": "VaultStore",
"objectType": "DataStoreInfoBase"
},
"targetDataStoreCopySettings": []
}
]
},
{
"name": "BackupDaily",
"objectType": "AzureBackupRule",
"backupParameters": {
"backupType": "Discrete",
"objectType": "AzureBackupParams"
},
"dataStore": {
"dataStoreType": "VaultStore",
"objectType": "DataStoreInfoBase"
},
"trigger": {
"schedule": {
"timeZone": "UTC",
"repeatingTimeIntervals": [
"[variables('repeatingTimeIntervals')]"
]
},
"taggingCriteria": [
{
"isDefault": false,
"taggingPriority": 10,
"tagInfo": {
"id": "Yearly_",
"tagName": "Yearly"
},
"criteria": [
{
"absoluteCriteria": [
"FirstOfYear"
],
"objectType": "ScheduleBasedBackupCriteria"
}
]
},
{
"isDefault": false,
"taggingPriority": 15,
"tagInfo": {
"id": "Monthly_",
"tagName": "Monthly"
},
"criteria": [
{
"absoluteCriteria": [
"FirstOfMonth"
],
"objectType": "ScheduleBasedBackupCriteria"
}
]
},
{
"isDefault": false,
"taggingPriority": 20,
"tagInfo": {
"id": "Weekly_",
"tagName": "Weekly"
},
"criteria": [
{
"absoluteCriteria": [
"FirstOfWeek"
],
"objectType": "ScheduleBasedBackupCriteria"
}
]
},
{
"isDefault": true,
"taggingPriority": 99,
"tagInfo": {
"id": "Default_",
"tagName": "Default"
}
}
],
"objectType": "ScheduleBasedTriggerContext"
}
}
],
"datasourceTypes": [
"[variables('dataSourceType')]"
],
"objectType": "BackupPolicy"
},
"dependsOn": [
"[resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2024-01-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "Standard_RAGRS",
"tier": "Standard"
},
"properties": {
"isHnsEnabled": true
}
},
{
"copy": {
"name": "storageContainerList",
"count": "[length(parameters('containerList'))]"
},
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2024-01-01",
"name": "[format('{0}/default/{1}', parameters('storageAccountName'), parameters('containerList')[copyIndex()])]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccountName'))]",
"name": "[guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName')), variables('roleDefinitionId'), resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')))]",
"properties": {
"roleDefinitionId": "[variables('roleDefinitionId')]",
"principalId": "[reference(resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName')), '2021-01-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"[resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.DataProtection/backupVaults/backupInstances",
"apiVersion": "2025-07-01",
"name": "[format('{0}/{1}', parameters('vaultName'), parameters('storageAccountName'))]",
"properties": {
"objectType": "BackupInstance",
"friendlyName": "[parameters('storageAccountName')]",
"dataSourceInfo": {
"objectType": "Datasource",
"resourceID": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"resourceName": "[parameters('storageAccountName')]",
"resourceType": "[variables('resourceType')]",
"resourceUri": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"resourceLocation": "[parameters('location')]",
"datasourceType": "[variables('dataSourceType')]"
},
"dataSourceSetInfo": {
"objectType": "DatasourceSet",
"resourceID": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"resourceName": "[parameters('storageAccountName')]",
"resourceType": "[variables('resourceType')]",
"resourceUri": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"resourceLocation": "[parameters('location')]",
"datasourceType": "[variables('dataSourceType')]"
},
"policyInfo": {
"policyId": "[resourceId('Microsoft.DataProtection/backupVaults/backupPolicies', parameters('vaultName'), parameters('backupPolicyName'))]",
"name": "[parameters('backupPolicyName')]",
"policyParameters": {
"backupDatasourceParametersList": [
{
"objectType": "BlobBackupDatasourceParameters",
"containersList": "[parameters('containerList')]"
}
]
}
}
},
"dependsOn": [
"[resourceId('Microsoft.DataProtection/backupVaults/backupPolicies', parameters('vaultName'), parameters('backupPolicyName'))]",
"[extensionResourceId(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), 'Microsoft.Authorization/roleAssignments', guid(resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName')), variables('roleDefinitionId'), resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"storageContainerList",
"[resourceId('Microsoft.DataProtection/backupVaults', parameters('vaultName'))]"
]
}
]
}After you review the preceding template, deploy the template for Azure Data Lake Storage vaulted backup.
To deploy the template, store the template in a GitHub repository, and then run the following PowerShell script on Azure Cloud Shell.
$projectName = Read-Host -Prompt "Enter a project name (limited to eight characters) that is used to generate Azure resource names"
$location = Read-Host -Prompt "Enter the location (for example, centralus)"
$resourceGroupName = "${projectName}rg"
$templateUri = "https//templateuri"
New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -projectName
::: zone-end
::: zone pivot="client-template-bicep"
This quickstart describes how to configure vaulted backup for Azure Data Lake Storage using a Bicep template.
Before you back up Azure Data Lake Storage data, ensure that the following prerequisites are met:
- Configure your environment for Bicep development. Learn how to install Bicep tools.
- Review the supported scenarios for Azure Data Lake Storage backup.
The following example Bicep template allows you to configure vaulted backup for two containers in a storage account with a backup policy. This backup policy runs daily and retains backups for 30 days, as well as weekly, monthly, and yearly backups for longer retention.
@description('Name of the Vault')
param vaultName string = 'vault${uniqueString(resourceGroup().id)}'
@description('Change Vault Storage Type (not allowed if the vault has registered backups)')
@allowed([
'LocallyRedundant'
'GeoRedundant'
])
param vaultStorageRedundancy string = 'GeoRedundant'
@description('Name of the Backup Policy')
param backupPolicyName string = 'policy${uniqueString(resourceGroup().id)}'
@description('Vault tier default backup retention duration in days')
@minValue(7)
@maxValue(3650)
param vaultTierDefaultRetentionInDays int = 30
@description('Vault tier weekly backup retention duration in weeks')
@minValue(4)
@maxValue(521)
param vaultTierWeeklyRetentionInWeeks int = 30
@description('Vault tier monthly backup retention duration in months')
@minValue(5)
@maxValue(116)
param vaultTierMonthlyRetentionInMonths int = 30
@description('Vault tier yearly backup retention duration in years')
@minValue(1)
@maxValue(10)
param vaultTierYearlyRetentionInYears int = 10
@description('Vault tier daily backup schedule time')
param vaultTierDailyBackupScheduleTime string = '06:00'
@description('Name of the Storage Account')
param storageAccountName string = 'store${uniqueString(resourceGroup().id)}'
@description('List of the containers to be protected')
param containerList array = [
'container1'
'container2'
]
@description('Location for all resources')
param location string = resourceGroup().location
var roleDefinitionId = subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1'
)
var dataSourceType = 'Microsoft.Storage/storageAccounts/adlsBlobServices'
var resourceType = 'Microsoft.Storage/storageAccounts'
var vaultTierDefaultRetentionDuration = 'P${vaultTierDefaultRetentionInDays}D'
var vaultTierWeeklyRetentionDuration = 'P${vaultTierWeeklyRetentionInWeeks}W'
var vaultTierMonthlyRetentionDuration = 'P${vaultTierMonthlyRetentionInMonths}M'
var vaultTierYearlyRetentionDuration = 'P${vaultTierYearlyRetentionInYears}Y'
var repeatingTimeIntervals = 'R/2025-10-10T${vaultTierDailyBackupScheduleTime}:00+00:00/P1D'
resource vault 'Microsoft.DataProtection/backupVaults@2025-07-01' = {
name: vaultName
location: location
identity: {
type: 'systemAssigned'
}
properties: {
storageSettings: [
{
datastoreType: 'VaultStore'
type: vaultStorageRedundancy
}
]
}
}
resource backupPolicy 'Microsoft.DataProtection/backupVaults/backupPolicies@2025-07-01' = {
parent: vault
name: backupPolicyName
properties: {
policyRules: [
{
name: 'Yearly'
objectType: 'AzureRetentionRule'
isDefault: false
lifecycles: [
{
deleteAfter: {
duration: vaultTierYearlyRetentionDuration
objectType: 'AbsoluteDeleteOption'
}
sourceDataStore: {
dataStoreType: 'VaultStore'
objectType: 'DataStoreInfoBase'
}
targetDataStoreCopySettings: []
}
]
}
{
name: 'Monthly'
objectType: 'AzureRetentionRule'
isDefault: false
lifecycles: [
{
deleteAfter: {
duration: vaultTierMonthlyRetentionDuration
objectType: 'AbsoluteDeleteOption'
}
sourceDataStore: {
dataStoreType: 'VaultStore'
objectType: 'DataStoreInfoBase'
}
targetDataStoreCopySettings: []
}
]
}
{
name: 'Weekly'
objectType: 'AzureRetentionRule'
isDefault: false
lifecycles: [
{
deleteAfter: {
duration: vaultTierWeeklyRetentionDuration
objectType: 'AbsoluteDeleteOption'
}
sourceDataStore: {
dataStoreType: 'VaultStore'
objectType: 'DataStoreInfoBase'
}
targetDataStoreCopySettings: []
}
]
}
{
name: 'Default'
objectType: 'AzureRetentionRule'
isDefault: true
lifecycles: [
{
deleteAfter: {
duration: vaultTierDefaultRetentionDuration
objectType: 'AbsoluteDeleteOption'
}
sourceDataStore: {
dataStoreType: 'VaultStore'
objectType: 'DataStoreInfoBase'
}
targetDataStoreCopySettings: []
}
]
}
{
name: 'BackupDaily'
objectType: 'AzureBackupRule'
backupParameters: {
backupType: 'Discrete'
objectType: 'AzureBackupParams'
}
dataStore: {
dataStoreType: 'VaultStore'
objectType: 'DataStoreInfoBase'
}
trigger: {
schedule: {
timeZone: 'UTC'
repeatingTimeIntervals: [
repeatingTimeIntervals
]
}
taggingCriteria: [
{
isDefault: false
taggingPriority: 10
tagInfo: {
id: 'Yearly_'
tagName: 'Yearly'
}
criteria: [
{
absoluteCriteria: [
'FirstOfYear'
]
objectType: 'ScheduleBasedBackupCriteria'
}
]
}
{
isDefault: false
taggingPriority: 15
tagInfo: {
id: 'Monthly_'
tagName: 'Monthly'
}
criteria: [
{
absoluteCriteria: [
'FirstOfMonth'
]
objectType: 'ScheduleBasedBackupCriteria'
}
]
}
{
isDefault: false
taggingPriority: 20
tagInfo: {
id: 'Weekly_'
tagName: 'Weekly'
}
criteria: [
{
absoluteCriteria: [
'FirstOfWeek'
]
objectType: 'ScheduleBasedBackupCriteria'
}
]
}
{
isDefault: true
taggingPriority: 99
tagInfo: {
id: 'Default_'
tagName: 'Default'
}
}
]
objectType: 'ScheduleBasedTriggerContext'
}
}
]
datasourceTypes: [
dataSourceType
]
objectType: 'BackupPolicy'
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' = {
name: storageAccountName
location: location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
tier: 'Standard'
}
properties: {
isHnsEnabled: true
}
}
resource storageContainerList 'Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01' = [
for item in containerList: {
name: '${storageAccountName}/default/${item}'
dependsOn: [
storageAccount
]
}
]
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: storageAccount
name: guid(vault.id, roleDefinitionId, storageAccount.id)
properties: {
roleDefinitionId: roleDefinitionId
principalId: reference(vault.id, '2021-01-01', 'Full').identity.principalId
principalType: 'ServicePrincipal'
}
}
resource backupInstance 'Microsoft.DataProtection/backupVaults/backupInstances@2025-07-01' = {
parent: vault
name: storageAccountName
properties: {
objectType: 'BackupInstance'
friendlyName: storageAccountName
dataSourceInfo: {
objectType: 'Datasource'
resourceID: storageAccount.id
resourceName: storageAccountName
resourceType: resourceType
resourceUri: storageAccount.id
resourceLocation: location
datasourceType: dataSourceType
}
dataSourceSetInfo: {
objectType: 'DatasourceSet'
resourceID: storageAccount.id
resourceName: storageAccountName
resourceType: resourceType
resourceUri: storageAccount.id
resourceLocation: location
datasourceType: dataSourceType
}
policyInfo: {
policyId: backupPolicy.id
name: backupPolicyName
policyParameters: {
backupDatasourceParametersList: [
{
objectType: 'BlobBackupDatasourceParameters'
containersList: containerList
}
]
}
}
}
dependsOn: [
roleAssignment
storageContainerList
]
}After you review the preceding template, deploy the template for Azure Data Lake Storage vaulted backup.
To deploy the template, store the preceding template in a GitHub repository, and then run the following PowerShell script on Azure Cloud Shell.
$projectName = Read-Host -Prompt "Enter a project name (limited to eight characters) that is used to generate Azure resource names"
$location = Read-Host -Prompt "Enter the location (for example, centralus)"
$resourceGroupName = "${projectName}rg"
$templateUri = "templateURI"
New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -projectName $projectName
::: zone-end