Create and configure a Recovery Services vault

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup related operations. These include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault, follow these steps.

  1. Sign in to your subscription in the Azure portal.

  2. Search for Backup center in the Azure portal, and navigate to the Backup Center dashboard.

    Select Backup center

  3. Select +Vault from the Overview tab.

    Create a vault

  4. Select Recovery Services vault and click Continue.

    Select Recovery Services vault

  5. The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location.

    Configure the Recovery Services vault

    • Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

    • Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.

    • Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.


      If you're not sure of the location of your data source, close the dialog box. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.

  6. After providing the values, select Review + create.

    Screenshot that shows the Review + create button in the create a Recovery Services vault process.

  7. When you're ready to create the Recovery Services vault, select Create.

    Create the Recovery Services vault

    It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it's visible in the list of Recovery Services vaults. If you don't see your vault, select Refresh.

    Refresh the list of backup vaults


We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault. For more information, see the Set Storage redundancy section.

Set storage redundancy

Azure Backup automatically handles storage for the vault. You need to specify how that storage is replicated.


Changing Storage Replication type (Locally redundant/ Geo-redundant) for a Recovery Services vault has to be done before configuring backups in the vault. Once you configure backup, the option to modify is disabled.

  • If you haven't yet configured the backup, complete the following steps to review and modify the settings.
  • If you've already configured the backup and must move from GRS to LRS, then review these workarounds.
  1. From the Recovery Services vaults pane, select the new vault. Under the Settings section, select Properties.

  2. In Properties, under Backup Configuration, select Update.

  3. Select the storage replication type, and select Save.

    Set the storage configuration for new vault

    • We recommend that if you're using Azure as a primary backup storage endpoint, continue to use the default Geo-redundant setting.
    • If you don't use Azure as a primary backup storage endpoint, then choose Locally redundant, which reduces the Azure storage costs.
    • Learn more about geo and local redundancy.
    • If you need data availability without downtime in a region, guaranteeing data residency, then choose zone-redundant storage.


The Storage Replication settings for the vault aren't relevant for Azure file share backup as the current solution is snapshot based and there's no data transferred to the vault. Snapshots are stored in the same storage account as the backed up file share.

Set Cross Region Restore

The restore option Cross Region Restore (CRR) allows you to restore data in a secondary, Azure paired region. You can use it to conduct drills when there is an audit or compliance requirement (or) restore the data if there's a disaster in the primary region.

Before you begin:

  • CRR is supported:
    • Only for Recovery Services Vault with GRS replication type.
    • Azure VMs (you can restore the VM or its disk) that are ARM based Azure VMs and encrypted Azure VMs. Classic VMs won’t be supported.
    • SQL/SAP HANA databases hosted on Azure VMs (you can restore databases or their files)
    • Review the support matrix for a list of supported managed types and regions
  • Using CRR will incur additional charges , learn more
  • After opting-in, it might take up to 48 hours for the backup items to be available in secondary regions.
  • CRR currently can't be reverted back to GRS or LRS once the protection is initiated for the first time.
  • Currently, secondary region RPO is up to 12 hours from the primary region, even though read-access geo-redundant storage (RA-GRS) replication is 15 minutes.

Configure Cross Region Restore

A vault created with GRS redundancy includes the option to configure the Cross Region Restore feature. Every GRS vault will have a banner, which will link to the documentation. To configure CRR for the vault, go to the Backup Configuration pane, which contains the option to enable this feature.

Backup Configuration banner


If you've access to restricted paired regions and still unable to view Cross Region Restore settings in Backup Configuration blade, then re-register the recovery services resource provider.

To re-register the provider, go to your subscription in the Azure portal, navigate to Resource provider on the left navigation bar, then select Microsoft.RecoveryServices and select Re-register.

  1. From the portal, go to your Recovery Services vault > Properties (under Settings).

  2. Under Backup Configuration, select Update.

  3. Select Enable Cross Region Restore in this vault to enable the functionality.

    Enable Cross Region restore

See these articles for more information about backup and restore with CRR:

Set encryption settings

By default, the data in the Recovery Services vault is encrypted using platform-managed keys. No explicit actions are required from your end to enable this encryption, and it applies to all workloads being backed up to your Recovery Services vault. You may choose to bring your own key to encrypt the backup data in this vault. This is referred to as customer-managed keys. If you wish to encrypt backup data using your own key, the encryption key must be specified before any item is protected to this vault. Once you enable encryption with your key, it can't be reversed.

Configuring a vault to encrypt using customer-managed keys

To configure your vault to encrypt with customer-managed keys, these steps must be followed in this order:

  1. Enable managed identity for your Recovery Services vault

  2. Assign permissions to the vault to access the encryption key in the Azure Key Vault

  3. Enable soft-delete and purge protection on the Azure Key Vault

  4. Assign the encryption key to the Recovery Services vault

Instructions for each of these steps can be found in this article.

Modifying default settings

We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault.

  • Storage Replication type by default is set to Geo-redundant (GRS). Once you configure the backup, the option to modify is disabled.

  • Soft delete by default is Enabled on newly created vaults to protect backup data from accidental or malicious deletes. Follow these steps to review and modify the settings.

How to change from GRS to LRS after configuring backup

Before deciding to move from GRS to locally redundant storage (LRS), review the trade-offs between lower cost and higher data durability that fit your scenario. If you must move from GRS to LRS, then you have two choices. They depend on your business requirements to retain the backup data:

Don’t need to preserve previous backed-up data

To protect workloads in a new LRS vault, the current protection and data will need to be deleted in the GRS vault and backups configured again.


The following operation is destructive and can't be undone. All backup data and backup items associated with the protected server will be permanently deleted. Proceed with caution.

Stop and delete current protection on the GRS vault:

  1. Disable soft delete in the GRS vault properties. Follow these steps to disable soft delete.

  2. Stop protection and delete backups from the existing GRS vault. In the Vault dashboard menu, select Backup Items. Items listed here that need to be moved to the LRS vault must be removed along with their backup data. See how to delete protected items in the cloud and delete protected items on premises.

  3. If you're planning to move AFS (Azure file shares), SQL servers or SAP HANA servers, then you'll need also to unregister them. In the vault dashboard menu, select Backup Infrastructure. See how to unregister the SQL server, unregister a storage account associated with Azure file shares, and unregister an SAP HANA instance.

  4. Once they're removed from the GRS vault, continue to configure the backups for your workload in the new LRS vault.

Must preserve previous backed-up data

If you need to keep the current protected data in the GRS vault and continue the protection in a new LRS vault, there are limited options for some of the workloads:

  • For MARS, you can stop protection with retain data and register the agent in the new LRS vault.

    • Azure Backup service will continue to retain all the existing recovery points of the GRS vault.
    • You'll need to pay to keep the recovery points in the GRS vault.
    • You'll be able to restore the backed-up data only for unexpired recovery points in the GRS vault.
    • A new initial replica of the data will need to be created on the LRS vault.
  • For an Azure VM, you can stop protection with retain data for the VM in the GRS vault, move the VM to another resource group, and then protect the VM in the LRS vault. See guidance and limitations for moving a VM to another resource group.

    A VM can be protected in only one vault at a time. However, the VM in the new resource group can be protected on the LRS vault as it's considered a different VM.

    • Azure Backup service will retain the recovery points that have been backed up on the GRS vault.
    • You'll need to pay to keep the recovery points in the GRS vault (see Azure Backup pricing for details).
    • You'll be able to restore the VM, if needed, from the GRS vault.
    • The first backup on the LRS vault of the VM in the new resource will be an initial replica.

Next steps

Learn about Recovery Services vaults. Learn about Delete Recovery Services vaults.