Theoretical Foundation: Configure and Interpret Reports and Alerts for Backups
1. Initial Intuitionβ
You've created vaults, configured policies, enabled protection on VMs, and learned to execute backups and restorations. All this protection infrastructure has a silent problem: backups can fail without anyone noticing.
Imagine a car insurance that was cancelled without your knowledge. You keep driving with the feeling of security, but you're actually unprotected. With backups, the same risk exists: a backup can fail silently for weeks, and you'll only discover it when you need to restore and there's no valid recovery point.
Alerts solve the detection problem: they actively notify you when something goes wrong, without requiring manual verification.
Reports solve the visibility problem: they answer questions like "are all my resources protected?", "how much am I spending on backup?", "which backups failed last week?".
The analogy: alerts are like fire alarms (notify you immediately when something happens); reports are like monthly building inspection reports (give you a consolidated view of everything's status).
2. Contextβ
Reports and alerts are the observability layer of the backup solution. They sit above direct operation (backup and restore) and provide visibility for both operators and managers.
Two main systems cover this layer in Azure Backup:
Backup Center: native Azure Backup dashboard that centralizes visibility of all vaults (Recovery Services and Backup Vaults) in a single interface. Includes view of jobs, protected items, alerts, and access to reports.
Azure Monitor: Azure's observability platform that collects metrics and logs from virtually all services, including Azure Backup. Allows creating sophisticated alerts, custom dashboards, and integration with external tools.
Backup Reports (via Azure Monitor Workbooks + Log Analytics): detailed historical reports about backups, costs, compliance, and storage usage, powered by data sent to Log Analytics Workspace.
3. Building the Conceptsβ
3.1 Alerts in Azure Backupβ
There are two alert systems for Azure Backup, and understanding the difference between them is fundamental.
Classic alerts (Legacy Alerts)
The old Azure Backup alert system. Generated directly by the vault, without need for additional configuration. Significant limitations:
- Not configurable: you don't control which events generate alerts
- No native integration with Azure Monitor Action Groups
- Separate interface in portal, not integrated with Azure Monitor
- Being progressively discontinued by Microsoft
Azure Monitor alerts (Built-in Azure Monitor Alerts)
The modern system, recommended by Microsoft. Integrated with Azure Monitor, with all its capabilities:
- Configurable by event type, severity, and scope
- Integrated with Action Groups for notifications via email, SMS, webhook, Teams, PagerDuty, ITSM
- Visible in portal alongside all other Azure alerts
- Support alert suppression (alert processing rules)
- Can be forwarded to Log Analytics for historical analysis
3.2 Types of alerts available for Azure Backupβ
Azure Monitor alerts for backup are categorized by scenario:
| Category | Alert examples |
|---|---|
| Backup Health | Backup job failed, backup job completed with warning |
| Restore Health | Restore job failed |
| Replication Health (ASR) | High RPO, replication interrupted |
| Security | Soft delete disabled, suspicious operation detected |
| Configuration | Backup item without protection, policy modified |
Backup alerts have severities:
- Sev0 (Critical): critical failures requiring immediate action
- Sev1 (Error): errors requiring attention
- Sev2 (Warning): warnings that should be investigated
- Sev3 (Informational): operational information
3.3 Log Analytics Workspace and Diagnostic Settingsβ
To use Backup Reports (historical reports) and advanced log-based alerts, you need to configure the vault to send data to a Log Analytics Workspace.
Log Analytics Workspace: Azure service that stores and indexes logs from multiple resources for querying via KQL (Kusto Query Language).
Diagnostic Settings: vault configuration that defines which data is sent, where (Log Analytics, Storage Account, Event Hub), and which log categories are included.
For Backup Reports, the relevant diagnostic categories are:
| Category | Data included |
|---|---|
AzureBackupReport | Jobs, protected items, policies, recovery points (legacy model) |
CoreAzureBackup | Fundamental backup data (current model, replaces AzureBackupReport) |
AddonAzureBackupJobs | Backup job details |
AddonAzureBackupAlerts | Alert history |
AddonAzureBackupPolicy | Policy details |
AddonAzureBackupStorage | Storage usage |
AddonAzureBackupProtectedInstance | Protected items |
Microsoft's current recommendation: use the
CoreAzureBackupandAddon*categories instead of the legacyAzureBackupReport. TheAzureBackupReportis in maintenance mode and doesn't receive new features.
3.4 Backup Reports (Azure Monitor Workbooks)β
The Backup Reports are Azure Monitor Workbooks pre-built by Microsoft that visualize Log Analytics data in an organized way. They're not static reports; they're interactive dashboards with filters.
Available reports cover:
- Overview: health overview, recent jobs, active alerts
- Backup Items: all protected items by vault, type, and status
- Usage: backup storage consumption by vault and item
- Jobs: detailed history of all jobs, with filters by status and period
- Policies: configured policies and associated items
- Optimize: cost optimization opportunities (e.g., items without recent backup)
4. Structural Viewβ
5. Practical Operationβ
Configuring Diagnostic Settings in the vaultβ
This is the fundamental step to enable Backup Reports. Without configured Diagnostic Settings, backup data doesn't reach Log Analytics and reports remain blank.
In the portal:
- Access the Recovery Services Vault
- Under Monitoring, click Diagnostic settings
- Click Add diagnostic setting
- Give it a name (e.g.,
diag-rsv-prod-law) - Select the log categories:
- Check
CoreAzureBackup - Check all
Addon*categories - Don't check
AzureBackupReport(legacy)
- Check
- Under Destination, check Send to Log Analytics workspace
- Select the subscription and Log Analytics Workspace
- Click Save
Important behavior: data starts flowing to Log Analytics after configuration, but historical data prior to configuration is not retroactively imported. Any historical report will only cover the period from when the Diagnostic Setting was configured.
Configuring Azure Monitor Alerts for Backupβ
Approach 1: Via Backup Center (simpler)
- Access Backup Center in the portal
- Click Alerts in the left menu
- Click Configure notifications (or access via Azure Monitor)
- Select the scope (subscription, Resource Group, or specific vault)
- Configure alert conditions (event type, severity)
- Associate an Action Group
Approach 2: Via Azure Monitor Alerts (more flexible)
- Access Azure Monitor > Alerts > Alert rules
- Click Create
- Select scope: specific vault or entire subscription
- Under Condition, select the signal:
- For backup: look for "Backup Health Events" or backup metrics
- Configure threshold and evaluation frequency
- Associate or create an Action Group
- Configure name, severity, and resource group of the alert
- Review and create
Configuring an Action Groupβ
The Action Group is the set of actions executed when an alert is triggered. It's an independent resource that can be reused by multiple alerts.
# Create Action Group via CLI
az monitor action-group create \
--resource-group rg-monitoring \
--name ag-backup-ops \
--short-name backupops \
--action email backup-team backup-team@empresa.com \
--action sms oncall +55119999999
Available action types:
| Type | Description |
|---|---|
| Email/SMS/Push/Voice | Direct notification to people |
| Azure Function | Executes an Azure Function |
| Logic App | Triggers a Logic Apps workflow |
| Webhook | Calls a URL via HTTP POST |
| ITSM | Creates ticket in ServiceNow, JIRA, etc |
| Automation Runbook | Executes an Azure Automation Runbook |
| Event Hub | Publishes event to an Event Hub |
Accessing and interpreting Backup Reportsβ
- Access Backup Center
- In the left menu, click Backup reports
- Select the configured Log Analytics Workspace
- Apply filters:
- Time Range: last 7 days, 30 days, etc.
- Vault: filter by specific vault or all
- Backup Item Type: VMs, SQL, Files, etc.
- Region: filter by region
Most used reports and what each reveals:
Summary (Overview):
Answers: "What's the general state of my backup?"
- Total protected items
- Job success rate in last 24h, 7 days, 30 days
- Total storage consumed
- Active alerts
Backup Instances:
Answers: "Which resources are protected and what's the status of each?"
- Lists all items by vault and type
- Last successful backup date
- Next scheduled backup
- Protection status
Jobs:
Answers: "What happened with my backups last week?"
- History of all jobs (success, failure, warning)
- Duration of each job
- Failure causes
Usage:
Answers: "How much storage am I consuming and what does it cost?"
- Storage usage by vault
- Growth trend over time
- Breakdown by workload type
Optimize:
Answers: "Where can I reduce costs without compromising protection?"
- Items with excessively long retention policies
- Instant Restore snapshots still consuming space
- Items without recent backup (potentially unprotected)
6. Implementation Methodsβ
6.1 Azure Portal (Backup Center)β
When to use: daily operation, failure investigation, initial report configuration.
Advantage: unified view of all vaults in one interface; direct access to Backup Reports without leaving backup context.
Limitation: Backup Reports require Log Analytics configured previously; without this, reports remain empty.
6.2 Azure CLI for alerts and diagnosticsβ
When to use: configuration automation, IaC, batch configuration for multiple vaults.
# Configure Diagnostic Settings via CLI
az monitor diagnostic-settings create \
--resource "/subscriptions/{sub}/resourceGroups/rg-backup-prod/providers/Microsoft.RecoveryServices/vaults/rsv-prod-brazilsouth" \
--name "diag-rsv-prod-law" \
--workspace "/subscriptions/{sub}/resourceGroups/rg-monitoring/providers/microsoft.operationalinsights/workspaces/law-backup" \
--logs '[
{"category": "CoreAzureBackup", "enabled": true},
{"category": "AddonAzureBackupJobs", "enabled": true},
{"category": "AddonAzureBackupAlerts", "enabled": true},
{"category": "AddonAzureBackupPolicy", "enabled": true},
{"category": "AddonAzureBackupStorage", "enabled": true},
{"category": "AddonAzureBackupProtectedInstance", "enabled": true}
]'
# Create alert rule for backup failure
az monitor alert create \
--name "alert-backup-job-failure" \
--resource-group rg-monitoring \
--target "/subscriptions/{sub}/resourceGroups/rg-backup-prod/providers/Microsoft.RecoveryServices/vaults/rsv-prod-brazilsouth" \
--condition "category=Backup and status=Failed" \
--action-group "/subscriptions/{sub}/resourceGroups/rg-monitoring/providers/microsoft.insights/actionGroups/ag-backup-ops"
6.3 Azure PowerShellβ
When to use: complex automation, integration with existing corporate scripts.
# Configure Diagnostic Settings via PowerShell
$logCategories = @(
New-AzDiagnosticSettingLogSettingsObject -Category "CoreAzureBackup" -Enabled $true
New-AzDiagnosticSettingLogSettingsObject -Category "AddonAzureBackupJobs" -Enabled $true
New-AzDiagnosticSettingLogSettingsObject -Category "AddonAzureBackupAlerts" -Enabled $true
New-AzDiagnosticSettingLogSettingsObject -Category "AddonAzureBackupPolicy" -Enabled $true
New-AzDiagnosticSettingLogSettingsObject -Category "AddonAzureBackupStorage" -Enabled $true
New-AzDiagnosticSettingLogSettingsObject -Category "AddonAzureBackupProtectedInstance" -Enabled $true
)
$vaultId = "/subscriptions/{sub}/resourceGroups/rg-backup-prod/providers/Microsoft.RecoveryServices/vaults/rsv-prod-brazilsouth"
$workspaceId = "/subscriptions/{sub}/resourceGroups/rg-monitoring/providers/microsoft.operationalinsights/workspaces/law-backup"
New-AzDiagnosticSetting `
-ResourceId $vaultId `
-Name "diag-rsv-prod-law" `
-WorkspaceId $workspaceId `
-Log $logCategories
6.4 KQL Queries in Log Analyticsβ
When to use: specific problem investigation, custom report creation, log-based alerts.
Practical query examples:
Failed jobs in the last 24 hours:
AddonAzureBackupJobs
| where TimeGenerated > ago(24h)
| where JobStatus == "Failed"
| project TimeGenerated, BackupItemUniqueId, JobOperation, JobFailureCode, JobStatus
| order by TimeGenerated desc
Protected items without successful backup in the last 2 days:
CoreAzureBackup
| where TimeGenerated > ago(2d)
| where OperationName == "BackupItem"
| summarize LastBackup = max(TimeGenerated) by BackupItemUniqueId, BackupItemFriendlyName
| where LastBackup < ago(2d)
| project BackupItemFriendlyName, LastBackup
Storage usage trend by vault:
AddonAzureBackupStorage
| where TimeGenerated > ago(30d)
| summarize TotalStorageGB = sum(StorageConsumedInMBs) / 1024 by bin(TimeGenerated, 1d), VaultUniqueId
| render timechart
Job success rate by week:
AddonAzureBackupJobs
| where TimeGenerated > ago(30d)
| summarize
Total = count(),
Success = countif(JobStatus == "Completed"),
Failed = countif(JobStatus == "Failed")
by bin(TimeGenerated, 7d)
| extend SuccessRate = round(toreal(Success) / toreal(Total) * 100, 2)
| project TimeGenerated, Total, Success, Failed, SuccessRate
---
### 6.5 ARM Template for Diagnostic Settings
**When to use**: IaC to ensure all vaults have diagnostics configured from creation.
```json
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "diag-rsv-prod-law",
"scope": "[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]",
"properties": {
"workspaceId": "[parameters('logAnalyticsWorkspaceId')]",
"logs": [
{ "category": "CoreAzureBackup", "enabled": true },
{ "category": "AddonAzureBackupJobs", "enabled": true },
{ "category": "AddonAzureBackupAlerts", "enabled": true },
{ "category": "AddonAzureBackupPolicy", "enabled": true },
{ "category": "AddonAzureBackupStorage", "enabled": true },
{ "category": "AddonAzureBackupProtectedInstance", "enabled": true }
]
}
}
7. Control and Securityβ
RBAC for reports and alertsβ
| Role | Capabilities |
|---|---|
| Backup Reader | View reports and alerts; no modification |
| Backup Operator | View and dismiss alerts |
| Backup Contributor | Configure alerts and Diagnostic Settings |
| Monitoring Reader | View alerts and metrics in Azure Monitor |
| Monitoring Contributor | Create and configure alerts in Azure Monitor |
Data retention in Log Analyticsβ
The Log Analytics Workspace has data retention configuration. The default is 30 days free; additional retention incurs cost.
For historical Backup Reports, configure minimum retention of 90 days in the workspace. For regulatory compliance, it may be necessary to retain for 1 year or more.
# Configure workspace retention
az monitor log-analytics workspace update \
--resource-group rg-monitoring \
--workspace-name law-backup \
--retention-time 90
Alert Processing Rulesβ
Alert Processing Rules allow suppressing alerts during maintenance windows or modifying the behavior of existing alerts without deleting them:
# Create suppression rule during maintenance window
az monitor alert-processing-rule create \
--resource-group rg-monitoring \
--name "suppress-during-maintenance" \
--rule-type Suppression \
--scopes "/subscriptions/{sub}/resourceGroups/rg-backup-prod" \
--schedule-recurrence Weekly \
--schedule-recurrence-type Weekly \
--schedule-start-datetime "2025-01-05 02:00:00" \
--schedule-end-datetime "2025-01-05 04:00:00"
8. Decision Makingβ
Classic alerts vs Azure Monitor Alertsβ
| Situation | Choice | Reason |
|---|---|---|
| New vault, zero configuration | Azure Monitor Alerts | Current and recommended system; more flexible |
| Legacy vault with existing classic alerts | Migrate to Azure Monitor Alerts | Classic alerts are being discontinued |
| Simple email notification only | Azure Monitor Alerts with email Action Group | Simple and functional with current system |
| ITSM integration (ServiceNow, Jira) | Azure Monitor Alerts + ITSM Action Group | Only Azure Monitor supports ITSM integration |
| Alerts for multiple vaults at once | Azure Monitor Alerts with subscription scope | Single alert covers all vaults |
Diagnostic Settings destinationβ
| Situation | Destination | Reason |
|---|---|---|
| Historical reports and Backup Reports | Log Analytics Workspace | Required for workbooks and KQL |
| Log archiving for auditing | Storage Account | Lower cost for long-term retention |
| External SIEM integration (Splunk, etc) | Event Hub | Real-time streaming to external systems |
| All above | Multiple simultaneous destinations | One Diagnostic Setting can have multiple destinations |
Report review frequencyβ
| Situation | Recommended frequency | Type of check |
|---|---|---|
| Critical production environment | Daily | Failed jobs in last 24h |
| Operational review | Weekly | Success rate, active alerts |
| Compliance review | Monthly | Items without backup, storage usage |
| Capacity planning | Quarterly | Storage growth trends |
9. Best Practicesβ
Configure Diagnostic Settings immediately after creating the vault: historical data is not retroactive. Each day without configured Diagnostic Settings is a day without data in reports.
Use a single centralized Log Analytics Workspace: for environments with multiple vaults, send all diagnostics to the same workspace. This enables reports and queries that span all vaults at once.
Create Action Groups by criticality: have one Action Group for critical alerts (Sev0/Sev1) with SMS and Teams notification, and another for warning alerts (Sev2) with email only. This prevents alert fatigue where everyone receives the same type of notification.
Configure alerts at subscription level: instead of creating one alert rule per vault, create a single rule with subscription scope. It will automatically cover all existing and future vaults in the subscription.
Review the "Optimize" report monthly: the Optimize report identifies cost reduction opportunities like expired uncollected snapshots, excessively long retention policies, and items without recent backup.
Name alerts descriptively: use names like alert-backup-failure-prod-vaults instead of alert1. In incident situations, clear names accelerate triage.
10. Common Errorsβ
Error: not configuring Diagnostic Settings when creating the vault Why it happens: it's an optional step in the creation flow and frequently ignored. How to avoid: include Diagnostic Settings in the ARM/Terraform template for vault creation. Use Azure Policy to audit vaults without configured diagnostics.
Error: using the legacy AzureBackupReport category instead of current categories
Why it happens: old documentation still references AzureBackupReport.
How to avoid: use CoreAzureBackup and Addon* categories. AzureBackupReport doesn't receive new features.
Error: configuring alerts only for failures, ignoring warnings
Why it happens: warnings seem less urgent.
How to avoid: configure alerts for Warning as well. Backups completed with warning may indicate open files or consistency issues that evolve into failures.
Error: not configuring adequate retention in Log Analytics Why it happens: the 30-day default seems sufficient until you need to investigate a 45-day-old problem. How to avoid: configure minimum 90 days. For environments with regulatory requirements, configure 365 days or more, with archive to Storage Account to reduce cost.
Error: creating separate alerts per vault instead of using subscription scope Why it happens: operators think in terms of individual vaults. How to avoid: use subscription scope in alerts. New vaults are automatically covered without needing to create new alerts.
Error: not testing alerts after configuration Why it happens: assumes configuration is correct without verification. How to avoid: after configuring an alert and Action Group, use the "Test action group" button in the portal to verify recipients receive the notification correctly.
11. Operation and Maintenanceβ
Recommended daily checkβ
In Backup Center, access daily:
- Backup Jobs > filter by "Failed" and "Completed with warnings" in last 24h
- Backup Alerts > check active unacknowledged alerts
- Backup Instances > check items with status other than "Protection configured"
Interpreting backup alertsβ
Most common alerts and how to interpret them:
| Alert | Most common cause | First action |
|---|---|---|
| Backup job failed | VM extension outdated or VM inaccessible | Check VM status and VMSnapshot extension |
| Backup completed with warning | File open during snapshot (VSS warning) | Assess if critical file was in use; usually no action required |
| RPO breach | ASR replication with problem | Check connectivity and replicated item health |
| Soft delete disabled | Security configuration changed | Investigate who disabled and why; re-enable |
| Vault storage capacity high | Storage usage approaching limit | Review retention policies; check accumulated snapshots |
Log Analytics limits relevant to backupβ
| Limit | Value |
|---|---|
| Free daily ingestion volume | 5 GB (per workspace in Pay-As-You-Go plan) |
| Default retention without additional cost | 30 days |
| Maximum retention with cost | 730 days interactive + 7 years in archive |
| Backup log ingestion latency | 15 to 30 minutes after event |
The 15 to 30-minute latency is important: log-based alerts have this intrinsic latency. For critical job failure alerts, combining metrics alerts (faster) with log alerts (more detailed) offers the best of both worlds.
12. Integration and Automationβ
Azure Policy to ensure Diagnostic Settings on all vaultsβ
Use Azure Policy to audit and automatically remediate vaults without Diagnostic Settings:
The relevant built-in policy is: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.
# Assign automatic diagnostic policy
az policy assignment create \
--name "enforce-backup-diagnostics" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/{policyId}" \
--scope "/subscriptions/{sub}" \
--params '{
"logAnalytics": {"value": "/subscriptions/{sub}/resourceGroups/rg-monitoring/providers/microsoft.operationalinsights/workspaces/law-backup"},
"effect": {"value": "DeployIfNotExists"}
}'
Automated email reports via Logic Appsβ
To send weekly email reports with backup summary:
Integration with Microsoft Sentinelβ
For environments with advanced security requirements, Azure Backup logs can be integrated with Microsoft Sentinel to:
- Detect suspicious patterns (e.g., many restores in short period)
- Correlate backup events with other security events
- Create automated response playbooks for backup-related incidents
13. Final Summaryβ
What they are: reports and alerts are the observability layer of Azure Backup, composed of two complementary systems: Azure Monitor alerts (proactive problem detection) and Backup Reports via Log Analytics (historical and strategic visibility).
Essential points:
- There are two alert systems: Legacy Alerts (old, being discontinued) and Azure Monitor Alerts (current, recommended)
- Diagnostic Settings on the vault are mandatory prerequisite for Backup Reports; historical data is not retroactive
- Use
CoreAzureBackupandAddon*categories, not the legacyAzureBackupReport - Action Groups define how notifications are sent (email, SMS, Teams, ITSM, webhook)
- Backup Reports are interactive Azure Monitor Workbooks, not static reports
- KQL queries in Log Analytics enable custom reports and alerts
Critical differences:
| Aspect | Legacy Alerts | Azure Monitor Alerts |
|---|---|---|
| Configurability | Non-configurable | Fully configurable |
| Action Group integration | Limited | Complete |
| Scope | Per vault | Per vault, RG, or subscription |
| Status | Being discontinued | Current recommended |
| ITSM integration | No | Yes |
What needs to be remembered for AZ-104:
- Configure Diagnostic Settings immediately after creating the vault; there's no retroactivity of data
- Use
CoreAzureBackup+Addon*categories for Backup Reports; avoidAzureBackupReport(legacy) - Azure Monitor Alerts are the recommended system; Legacy Alerts are being discontinued
- Action Groups can notify via email, SMS, Teams, webhook, ITSM, and Runbooks
- Backup Reports are accessed via Backup Center and require configured Log Analytics
- Alerts with subscription scope automatically cover all present and future vaults
- Log Analytics has 15 to 30-minute latency for backup log ingestion