Threat Detection in Azure Backup with Microsoft Defender (MDC) for Cloud Integration (Preview)

 

💥Introduction

Ransomware has changed the way organizations think about data protection. It’s no longer enough to simply have backups must be confident that you restore points are clean, uncompromised, and safe to recover from. Attackers increasingly target backup data, encrypting it or silently infecting VMs long before an attack is executed. Restoring from a compromised recovery point can quickly turn a disaster recovery attempt into an even bigger crisis.

To address this growing challenge, Microsoft has introduced Threat Detection for Azure Backup, integrated with Microsoft Defender for Cloud (MDC) currently available in public preview. This feature enhances Azure Backup by using Defender advanced threat intelligence to scan and validate restore points, ensuring organizations can quickly identify safe backups during or after a security incident.

In this blog, we explore what this capability does, how it works behind the scenes, how to configure it, and why it matters for your cloud security posture.

💥Why Threat Detection in Backups Is Critical

Modern attacks often progress through multiple stages, and compromise can occur gradually. If a workload shows signs of malware or suspicious behavior, those conditions may also be reflected in its backup restore points. Without security insights, backup administrators might not know which restore points were created during a potentially unsafe period. This leads to two major risks:

1. Restoring malware back into production environments
2. Losing clean restore points because compromised ones were retained

Azure new threat detection capability addresses this by evaluating each restore point’s "threat health," identifying suspicious snapshots, and guiding administrators to safer restore options.

💥What Is Threat Detection in Azure Backup?

Threat Detection for Azure Backup introduces a security layer that analyzes VM backup restore points using Microsoft Defender for Servers. Instead of looking only at the backup itself, the system correlates:

• Malware scan results
• Behavioral alerts
• Ransomware indicators
• Defender for Cloud security signals
• VM security incidents

The result is a restore point health status, highlighting whether a backup is:

• Clean / Safe to restore
• Suspicious due to detected threats
• Unknown / Not applicable if insufficient data exists

This intelligence significantly reduces the risk of restoring compromised machines.

💥How the Integration Works (Architecture Overview)

The capability relies on a cooperative workflow between Azure Backup and Microsoft Defender for Cloud:

1. Defender for Servers performs threat scanning

Your Azure VM (or hybrid server via Azure Arc) is continuously monitored by Defender for Servers. It performs:

• Malware scanning
• Ransomware behavior detection
• Advanced threat analytics

2. Azure Backup captures a restore point

During each backup job, Azure Backup collects metadata related to the VM’s security state.

3. Backup service queries Defender insights

Azure Backup integrates directly with MDC to retrieve threat signals from the VM at the time of backup.

4. Restore point health is evaluated

Each restore point is assigned a health status:

• No Threats Reported
• Suspicious Restore Points Found
• Unknown / Not Applicable

5. Backup Administrator gets visibility

The Azure portal displays both:

• Configuration Status (is threat detection enabled?)
• Threat Summary (are any restore points suspicious?)

This gives immediate clarity on whether backups are safe to use after an incident.

 

💥Configuring Threat Detection in Azure Backup

Prerequisites

To enable the feature:

• You must have Microsoft Defender for Servers (Plan 1 or Plan 2) enabled on the VM or Arc server.
• The feature must be enabled from:
• Azure Backup (Recovery Services Vault)
  or
• Azure Business Continuity Center

Steps to Enable (Option 1)

• Navigate to your Azure Business Continuity Center.

• Go to Backup Instances and select the VM.
• Under Threat Detection, choose Enable.

• Approve integration with Defender for Cloud.
• Once configured, you will see:

• Configuration Status
• Threat Detection Summary

Steps to enable (Option 2)

• Go to the Recovery Services vault 
• Select the VM backups requiring threat detection, and then
• select Properties

• On the Properties pane, under Security Settings > Threat detection (Preview), select Update.
• On the Threat Detection (Preview) pane, turn on Enable source-scan integration, accept the terms by selecting the checkbox and select Update

💥Understanding the Status Indicators

Azure Backup surfaces two levels of threat information:

Configuration Status

• Configured – Feature enabled and integrated with Defender
• Not Configured – Administrator has not enabled the feature
• Configuration Failed – Integration error or plan not active
• Not Applicable – Defender plan does not support threat feeds

Summary Status

This reflects health of restore points:

• No Threats Reported – Backups appear clean
• Suspicious Restore Points Found – At least one restore point flagged
• Unknown – No recent Defender scan data
• Not Applicable – Backup type or region not supported

These indicators guide admins in selecting safe restore points during DR operations.

💥Monitoring & Alerting

Alerts from Defender for Cloud

If malware or ransomware behavior is detected, Defender for Cloud raises alerts that can be:

• Investigated in the Azure Portal
• Exported to Microsoft Sentinel
• Forwarded to external SIEM systems
• Used to trigger automated playbooks

Using Automation / Logic Apps

Organizations can automate containment by:

• Pausing backup pruning
• Locking the vault temporarily
• Notifying Backup and Security teams
• Preserving snapshots for investigation

This ensures you don’t lose critical evidence or safe restore points.

💥Limitations (Preview stage)

As the feature is in preview, be aware of:

• Region availability is limited
• Up to 48-hour delay in some threat updates
• Aggregated scan status for VMs backed up to multiple vaults
• Dependency on Defender for Servers licensing
• Possible “Unknown” status if scan telemetry hasn’t been generated

These constraints are expected to improve as Microsoft moves toward general availability.

💥Best Practices

To fully benefit from threat detection:

✔ Enable Defender for Servers on all protected VMs

✔ Validate “suspicious” restore points manually

✔ Integrate alerts with Microsoft Sentinel for correlation

✔ Use automation to preserve restore points during incidents

✔ Train both Security and Backup teams on the new workflow

This enhances resilience against ransomware and strengthens your overall recovery strategy.

💥Conclusion

Backup data represents the last line of defense in a cyberattack but only if the restore points themselves are uncompromised. Azure Backup’s Threat Detection feature, powered by Microsoft Defender for Cloud, adds a crucial layer of intelligence by evaluating backup health through real-time security insights. With ransomware attacks accelerating globally, this integration offers organizations a decisive advantage: the ability to identify safe recovery points quickly and restore confidently, even under active threat. Although currently in preview, the feature already delivers meaningful benefits, and its adoption will become an essential component of cloud-based backup strategies. If you’re using Azure Backup, now is the time to start enabling and testing Threat Detection your future incident response efforts may depend on it.