Azure Backup is Microsoft’s cloud-based backup service providing simple, secure, and scalable protection for your on-premises servers, virtual machines, Azure VMs, SQL workloads, files, and applications. For detailed information refer to the Azure Backup official documentation.
Integration Method: API
Tables: Scheduled Job Activity (1006), Data Security Finding (2006)
This Integration supports the following events.
Event | Description |
|---|---|
Backup Jobs and Restore | Captures backup job execution and restore operation events including job status, start and end times, backup operations, restore activities, job failures, completion status, and backup vault operations from Azure Backup service. |
Backup Protected Items and Profiles | Captures backup-protected resource configurations and policy profiles including protected items (VMs, databases, file shares), backup policy associations, protection status, retention policies, backup schedules, and policy profile settings from Azure Backup vaults. |
This integration supports the following versions.
Azure Backup API version | 2025-04-01, 2025-08-01 |
Note:
Azure Backup is a continuously updated cloud service. As for this document preparation, the latest release was in November 2025.
Prerequisites
The user should have access to the Azure portal with an account that has the Global Administrator privileges.
The user should have access to the DataBee console.
Configuration Overview
Create an application with required permissions to fetch the data.
Create Azure Backup Data Feed data feed in the DataBee console with the below parameters.
DataBee Parameter
Azure Parameter
Client Key
Client Secret
Client secret Value
Token URL(<tenant_id>)
Azure Configuration
Create an application
Log on to Azure portal with an account that has the Global Administrator privilege. In the search bar, search for App registrations and select it.
On the “Register an application” window:
Under ‘Name,’ enter your Application Name then click on Register to create the application.
On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
Login on to Azure portal with an account that has the Global Administrator privilege. In the search bar, check for Subscriptions and select it.
Select the Subscription name as shown below.
On the Overview page, copy the Subscription ID for later use.
In the search bar, check for Resource groups and select it.
In the “Resource groups” page, copy the Resource Group name for later use.
Add Endpoint Access
Once the application is created, three permissions should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.
From the Azure Active Directory portal:
Select the application registered in the previous step.
Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.
On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
Click on Application permissions.
The following permissions need to be granted for the endpoint to function properly:
Event
Permission Name
Type
Backup Profiles
Backup Restore
BackupRestore-Configuration.Read.All
BackupRestore-Restore.Read.All
Application
Resource groups and Role Assignment
Navigate to Resource groups under Resource Manager, check for Resources and select it.
Assign the Reader Role to the Resource. Click on Access Control and select Add.
Permission Name: Reader
Type: RBAC
Scope: Subscription
Under Role select the Reader, Backup Reader, and Log Analytics Reader to be added.
Action: Grant the Reader role to the Subscription for the App Registration to enable read-only access to subscription-level resources.
Create the Client Secret
The final step in accessing the APIs is creating a Client Secret. To create it from the Azure Portal:
Select the application created above.
Under Manage, click Certificates & secrets, and then Client secrets.
Click New client secret. Then “Add a client secret” window appears.
On “Add a client secret” window:
Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.
Then click on Add to create the client secret.
Note:
The user needs to re-create the client secret when it expires.
This completes the setup for Azure Activity API integration.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Azure Backup and click it as shown below.
Click on the API Ingest option for collection method.
Enter feed contact information and add the configurations as mentioned in step 5.
In the configuration page, confirm the following:
Authorization Method: OAuth2
Client Key: Paste the Client ID generated previously
Client Secret: Paste the Client Secret generated previously
Token URL: Replace <tenant_id> placeholder with your Directory (Tenant) ID
Event Types: Preselected for all the event types that integration pulls
Troubleshooting Tips
If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.
If you are facing response code - 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.