Del via

az dataprotection enable-backup

Note

This reference is part of the dataprotection extension for the Azure CLI (version 2.75.0 or higher). The extension will automatically install the first time you run an az dataprotection enable-backup command. Learn more about extensions.

Enable backup for Azure resources.

Commands

Name Description Type Status
az dataprotection enable-backup trigger

Enable backup for an AKS cluster by setting up all required resources including backup vault, policy, storage account, extension, and trusted access.

 Extension GA

az dataprotection enable-backup trigger

Enable backup for an AKS cluster by setting up all required resources including backup vault, policy, storage account, extension, and trusted access.

This command orchestrates all the steps required to enable backup for an AKS cluster:

  1. Creates or reuses a backup resource group, storage account, and blob container
  2. Installs the backup extension on the cluster (or reuses an existing one)
  3. Creates or reuses a backup vault and backup policy
  4. Configures trusted access and role assignments
  5. Creates a backup instance

The --backup-configuration-file parameter accepts a JSON file (@file.json) or inline JSON string with the following optional settings:

  • storageAccountResourceId: ARM ID of an existing storage account to use
  • blobContainerName: Name of an existing blob container (used with storageAccountResourceId)
  • backupResourceGroupId: ARM ID of an existing resource group for backup resources
  • backupVaultId: ARM ID of an existing backup vault (required for Custom strategy)
  • backupPolicyId: ARM ID of an existing backup policy (required for Custom strategy)
  • tags: Dictionary of tags to apply to created resources (e.g., {"Owner": "team", "Env": "prod"})

Backup strategy presets (--backup-strategy):

  • Week (default): Daily incremental backups with 7-day retention in Operational Store.
  • Month: Daily incremental backups with 30-day retention in Operational Store.
  • DisasterRecovery: Daily incremental backups with 7-day Operational Store + 90-day Vault Store retention. FirstOfDay backups are copied to Vault Store for cross-region restore.
  • Custom: Bring your own vault and policy. Requires backupVaultId and backupPolicyId in --backup-configuration-file.
az dataprotection enable-backup trigger --datasource-id
                                        --datasource-type
                                        [--acquire-policy-token]
                                        [--backup-configuration-file]
                                        [--backup-strategy {Custom, DisasterRecovery, Month, Week}]
                                        [--change-reference]
                                        [--yes]

Examples

Enable backup for an AKS cluster with default Week strategy

az dataprotection enable-backup trigger --datasource-type AzureKubernetesService --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster}

Enable backup with Month strategy

az dataprotection enable-backup trigger --datasource-type AzureKubernetesService --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} --backup-strategy Month

Enable backup with Custom strategy using existing vault and policy

az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \
  --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \
  --backup-strategy Custom \
  --backup-configuration-file @config.json

Where config.json contains:
{
  "backupVaultId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.DataProtection/backupVaults/{vault}",
  "backupPolicyId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.DataProtection/backupVaults/{vault}/backupPolicies/{policy}"
}

Enable backup with resource tags for policy compliance

az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \
  --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \
  --backup-configuration-file '{"tags": {"Owner": "team", "Environment": "prod", "DeleteBy": "2026-12"}}'

Enable backup using an existing storage account

az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \
  --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \
  --backup-configuration-file @config.json

Where config.json contains:
{
  "storageAccountResourceId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{sa}",
  "blobContainerName": "my-backup-container"
}

Required Parameters

--datasource-id

The full ARM resource ID of the datasource to be backed up.

--datasource-type

The type of datasource to be backed up. Supported values: AzureKubernetesService.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--backup-configuration-file -f

Path to a JSON backup configuration file. Supports backupVaultId and backupPolicyId (required for Custom strategy). For workload-specific settings, refer to the documentation.

--backup-strategy

Backup strategy preset (daily incremental backups). For AzureKubernetesService: Week (7-day operational store retention), Month (30-day operational store retention), DisasterRecovery (7-day operational + 90-day vault store retention), Custom (bring your own vault/policy). Default: Week.

Property Value
Accepted values: Custom, DisasterRecovery, Month, Week
--change-reference

The related change reference ID for this resource operation.

Property Value
Parameter group: Global Policy Arguments
--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False