Install the Azure Backup MARS agent

This article explains how to install the Microsoft Azure Recovery Services (MARS) agent. MARS is also known as the Azure Backup agent.

About the MARS agent

Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. Those backups are stored in a Recovery Services vault in Azure. You can run the agent:

  • Directly on on-premises Windows machines. These machines can back up directly to a Recovery Services vault in Azure.
  • On Azure VMs that run Windows side by side with the Azure VM backup extension. The agent backs up specific files and folders on the VM.
  • On a Microsoft Azure Backup Server (MABS) instance or a System Center Data Protection Manager (DPM) server. In this scenario, machines and workloads back up to MABS or Data Protection Manager. Then MABS or Data Protection Manager uses the MARS agent to back up to a vault in Azure.

The data that's available for backup depends on where the agent is installed.


Generally, you back up an Azure VM by using an Azure Backup extension on the VM. This method backs up the entire VM. If you want to back up specific files and folders on the VM, install and use the MARS agent alongside the extension. For more information, see Architecture of a built-in Azure VM backup.

Backup process steps

Before you start

  • Learn how Azure Backup uses the MARS agent to back up Windows machines.
  • Learn about the backup architecture that runs the MARS agent on a secondary MABS or Data Protection Manager server.
  • Review what's supported and what you can back up by the MARS agent.
  • Make sure that you have an Azure account if you need to back up a server or client to Azure. If you don't have an account, you can create a free one in just a few minutes.
  • Verify internet access on the machines that you want to back up.
  • Ensure the user performing the installation and configuration of the MARS agent has local administrator privileges on the server to be protected.

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup related operations. These include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault, follow these steps.

  1. Sign in to your subscription in the Azure portal.

  2. On the left menu, select All services.

    Select All services

  3. In the All services dialog box, enter Recovery Services. The list of resources filters according to your input. In the list of resources, select Recovery Services vaults.

    Enter and choose Recovery Services vaults

    The list of Recovery Services vaults in the subscription appears.

  4. On the Recovery Services vaults dashboard, select Add.

    Add a Recovery Services vault

    The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location.

    Configure the Recovery Services vault

    • Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

    • Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.

    • Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.


      If you're not sure of the location of your data source, close the dialog box. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.

  5. After providing the values, select Review + create.

    Create the Recovery Services vault

  6. When you're ready to create the Recovery Services vault, select Create.

    Create the Recovery Services vault

    It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it's visible in the list of Recovery Services vaults. If you don't see your vault, select Refresh.

    Refresh the list of backup vaults


We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault. For more information, see the Set Storage redundancy section.

Modify storage replication

By default, vaults use geo-redundant storage (GRS).

To modify the storage replication type:

  1. In the new vault, select Properties under the Settings section.

  2. On the Properties page, under Backup Configuration, select Update.

  3. Select the storage replication type, and select Save.

    Update Backup Configuration


You can't modify the storage replication type after the vault is set up and contains backup items. If you want to do this, you need to re-create the vault.

Verify internet access

If your machine has limited internet access, ensure that firewall settings on the machine or proxy allow the following URLs and IP addresses:

  • URLs
    • *
    • *
    • *
    • *
  • IP addresses

Use Azure ExpressRoute

You can back up your data over Azure ExpressRoute by using public peering (available for old circuits) and Microsoft peering. Backup over private peering isn't supported.

To use public peering, first ensure access to the following domains and addresses:


To use Microsoft peering, select the following services, regions, and relevant community values:

  • Azure Active Directory (12076:5060)
  • Azure region, according to the location of your Recovery Services vault
  • Azure Storage, according to the location of your Recovery Services vault

For more information, see ExpressRoute routing requirements.


Public peering is deprecated for new circuits.

All of the preceding URLs and IP addresses use the HTTPS protocol on port 443.

Private Endpoints

You can now use Private Endpoints to back up your data securely from servers inside a virtual network to your Recovery Services vault. The private endpoint uses an IP from the VNET address space for your vault. The network traffic between your resources inside the virtual network and the vault travels over your virtual network and a private link on the Microsoft backbone network. This eliminates exposure from the public internet. Private Endpoints can be used for backing up and restoring your SQL and SAP HANA databases that run inside your Azure VMs. It can also be used for your on-premises servers using the MARS agent.

Azure VM backup doesn't require internet connectivity and so doesn't require Private Endpoints to allow network isolation.

Read more on private endpoints for Azure Backup here.

Download the MARS agent

Download the MARS agent so that you can install it on the machines that you want to back up.

If you've already installed the agent on any machines, make sure that you're running the latest version of the agent. Find the latest version in the portal, or go directly to the download.

  1. In the vault, under Getting Started, select Backup.

    Open the backup goal

  2. Under Where is your workload running?, select On-premises. Select this option even if you want to install the MARS agent on an Azure VM.

  3. Under What do you want to back up?, select Files and folders. You can also select System State. Many other options are available, but these options are supported only if you're running a secondary backup server. Select Prepare Infrastructure.

    Configure files and folders

  4. For Prepare infrastructure, under Install Recovery Services agent, download the MARS agent.

    Prepare the infrastructure

  5. In the download menu, select Save. By default, the MARSagentinstaller.exe file is saved to your Downloads folder.

  6. Select Already download or using the latest Recovery Services Agent, and then download the vault credentials.

    Download vault credentials

  7. Select Save. The file is downloaded to your Downloads folder. You can't open the vault credentials file.

Install and register the agent

  1. Run the MARSagentinstaller.exe file on the machines that you want to back up.

  2. In the MARS Agent Setup Wizard, select Installation Settings. There, choose where to install the agent, and choose a location for the cache. Then select Next.

    • Azure Backup uses the cache to store data snapshots before sending them to Azure.
    • The cache location should have free space equal to at least 5 percent of the size of the data you'll back up.

    Choose installation settings in the MARS Agent Setup Wizard

  3. For Proxy Configuration, specify how the agent that runs on the Windows machine will connect to the internet. Then select Next.

    • If you use a custom proxy, specify any necessary proxy settings and credentials.
    • Remember that the agent needs access to specific URLs.

    Set up internet access in the MARS wizard

  4. For Installation, review the prerequisites, and select Install.

  5. After the agent is installed, select Proceed to Registration.

  6. In Register Server Wizard > Vault Identification, browse to and select the credentials file that you downloaded. Then select Next.

    Add vault credentials by using the Register Server Wizard

  7. On the Encryption Setting page, specify a passphrase that will be used to encrypt and decrypt backups for the machine. See here for more information on allowed passphrase characters.

    • Save the passphrase in a secure location. You need it to restore a backup.
    • If you lose or forget the passphrase, Microsoft can't help you recover the backup data.
  8. Select Finish. The agent is now installed, and your machine is registered to the vault. You're ready to configure and schedule your backup.

Next steps

Learn how to Back up Windows machines by using the Azure Backup MARS agent