I'm exploring Tenuvault as an option to back up my Intune configurations, which utilizes an Azure storage account for this purpose. This raises a concern for me; if a threat actor gains control of a Global Administrator (GA) account, they could potentially change or delete Azure resources. I'm wondering about the best ways to protect my Azure resources to ensure my backups remain intact. One idea I've had is to create the resources through an Emergency Admin account, which is more secure and FIDO2-protected. My thinking is that even if someone compromised the GA account, they wouldn't be able to delete the backup if only the Emergency Admin account has ownership. But I'm not entirely sure if that's the best approach or if I'm being overly cautious. Would it be safe to create backups with my separate GA account instead? I would appreciate any advice on this!
1 Answer
Using Azure Backup Vaults is a solid way to secure your storage. Locking the Backup Vault can prevent it from being deleted, which is a key step. Additionally, you can enable immutable policies on the storage account, although they don't completely protect against subscription loss. Just keep in mind that if a threat actor gains access to the GA account, they might have a harder time if these protections are in place!
That's a great point! It sounds like having dual backups, as you mentioned, would add another layer of security. We're already doing dual backups in our setup. Thanks for the info!