Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-08-01
- 2025-02-01
- 2025-01-01
- 2024-10-01
- 2024-09-30-preview
- 2024-04-30-preview
- 2024-04-01
- 2024-02-01
- 2024-01-01
- 2023-08-01
- 2023-06-01
- 2023-04-01
- 2023-02-01
- 2023-01-01
- 2022-10-01
- 2022-09-30-preview
- 2022-09-10
- 2022-08-01
- 2022-05-01
- 2022-04-01
- 2022-03-01
- 2022-02-01
- 2022-01-31-preview
- 2022-01-01
- 2021-12-01
- 2021-11-01-preview
- 2021-08-01
- 2021-07-01
- 2021-06-01
- 2021-04-01
- 2021-03-01
- 2021-02-10
- 2021-01-01
- 2020-10-01
- 2020-02-02
- 2016-06-01
Bicep resource definition
The vaults resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.RecoveryServices/vaults@2025-02-01' = {
  scope: resourceSymbolicName or scope
  etag: 'string'
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    encryption: {
      infrastructureEncryption: 'string'
      kekIdentity: {
        userAssignedIdentity: 'string'
        useSystemAssignedIdentity: bool
      }
      keyVaultProperties: {
        keyUri: 'string'
      }
    }
    monitoringSettings: {
      azureMonitorAlertSettings: {
        alertsForAllFailoverIssues: 'string'
        alertsForAllJobFailures: 'string'
        alertsForAllReplicationIssues: 'string'
      }
      classicAlertSettings: {
        alertsForCriticalOperations: 'string'
        emailNotificationsForSiteRecovery: 'string'
      }
    }
    moveDetails: {}
    publicNetworkAccess: 'string'
    redundancySettings: {
      crossRegionRestore: 'string'
      standardTierStorageRedundancy: 'string'
    }
    resourceGuardOperationRequests: [
      'string'
    ]
    restoreSettings: {
      crossSubscriptionRestoreSettings: {
        crossSubscriptionRestoreState: 'string'
      }
    }
    securitySettings: {
      immutabilitySettings: {
        state: 'string'
      }
      softDeleteSettings: {
        enhancedSecurityState: 'string'
        softDeleteRetentionPeriodInDays: int
        softDeleteState: 'string'
      }
      sourceScanConfiguration: {
        sourceScanIdentity: {
          operationIdentityType: 'string'
          userAssignedIdentity: 'string'
        }
        state: 'string'
      }
    }
    upgradeDetails: {}
  }
  sku: {
    capacity: 'string'
    family: 'string'
    name: 'string'
    size: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.RecoveryServices/vaults
| Name | Description | Value | 
|---|---|---|
| etag | etag for the resource. | string | 
| identity | Identity for the resource. | IdentityData | 
| location | The geo-location where the resource lives | string (required) | 
| name | The resource name | string (required) | 
| properties | Properties of the vault. | VaultProperties | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| sku | Identifies the unique system identifier for each Azure resource. | Sku | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
AssociatedIdentity
| Name | Description | Value | 
|---|---|---|
| operationIdentityType | Identity type that should be used for an operation. | 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentity | User assigned identity to be used for an operation if operationIdentityType is UserAssigned. | string | 
AzureMonitorAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForAllFailoverIssues | 'Disabled' 'Enabled' | |
| alertsForAllJobFailures | 'Disabled' 'Enabled' | |
| alertsForAllReplicationIssues | 'Disabled' 'Enabled' | 
ClassicAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForCriticalOperations | 'Disabled' 'Enabled' | |
| emailNotificationsForSiteRecovery | 'Disabled' 'Enabled' | 
CmkKekIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string | 
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool | 
CmkKeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string | 
CrossSubscriptionRestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreState | 'Disabled' 'Enabled' 'PermanentlyDisabled' | 
IdentityData
| Name | Description | Value | 
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | IdentityDataUserAssignedIdentities | 
IdentityDataUserAssignedIdentities
| Name | Description | Value | 
|---|
ImmutabilitySettings
| Name | Description | Value | 
|---|---|---|
| state | 'Disabled' 'Locked' 'Unlocked' | 
MonitoringSettings
| Name | Description | Value | 
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings | 
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings | 
RestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreSettings | Settings for CrossSubscriptionRestore | CrossSubscriptionRestoreSettings | 
SecuritySettings
| Name | Description | Value | 
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings | 
| softDeleteSettings | Soft delete Settings of a vault | SoftDeleteSettings | 
| sourceScanConfiguration | Source scan configuration of vault | SourceScanConfiguration | 
Sku
| Name | Description | Value | 
|---|---|---|
| capacity | The sku capacity | string | 
| family | The sku family | string | 
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | 'RS0' 'Standard' (required) | 
| size | The sku size | string | 
| tier | The Sku tier. | string | 
SoftDeleteSettings
| Name | Description | Value | 
|---|---|---|
| enhancedSecurityState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | |
| softDeleteRetentionPeriodInDays | Soft delete retention period in days | int | 
| softDeleteState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | 
SourceScanConfiguration
| Name | Description | Value | 
|---|---|---|
| sourceScanIdentity | Identity details to be used for an operation | AssociatedIdentity | 
| state | 'Disabled' 'Enabled' 'Invalid' | 
TrackedResourceTags
| Name | Description | Value | 
|---|
UpgradeDetails
| Name | Description | Value | 
|---|
UserIdentity
| Name | Description | Value | 
|---|
VaultProperties
| Name | Description | Value | 
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption | 
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings | 
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails | 
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | 'Disabled' 'Enabled' | 
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings | 
| resourceGuardOperationRequests | ResourceGuardOperationRequests on which LAC check will be performed | string[] | 
| restoreSettings | Restore Settings of the vault | RestoreSettings | 
| securitySettings | Security Settings of the vault | SecuritySettings | 
| upgradeDetails | Details for upgrading vault. | UpgradeDetails | 
VaultPropertiesEncryption
| Name | Description | Value | 
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | 'Disabled' 'Enabled' | 
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity | 
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties | 
VaultPropertiesMoveDetails
| Name | Description | Value | 
|---|
VaultPropertiesRedundancySettings
| Name | Description | Value | 
|---|---|---|
| crossRegionRestore | Flag to show if Cross Region Restore is enabled on the Vault or not | 'Disabled' 'Enabled' | 
| standardTierStorageRedundancy | The storage redundancy setting of a vault | 'GeoRedundant' 'Invalid' 'LocallyRedundant' 'ZoneRedundant' | 
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Recovery Services Vault | AVM Resource Module for Recovery Services Vault | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| Azure Backup for Workload in Azure Virtual Machines | This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection | 
| Backup existing File Share using Recovery Services (Daily) | This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. | 
| Backup existing File Share using Recovery Services (hourly) | This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. | 
| Backup Resource Manager VMs using Recovery Services vault | This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group | 
| Create a Recovery Services vault with advanced options | This template creates a Recovery Services vault that will be used further for Backup and Site Recovery. | 
| Create AVD with FSLogix and AD DS Join | This template allows you to create Azure Virtual Desktop resources such as host pool, application group, workspace, FSLogix storage account, file share, recovery service vault for file share backup a test session host, its extensions with Microsoft Entra ID join pr Active directory domain join. | 
| Create Azure VM Replication and Disaster Recovery | This template allows you to create Azure Virtual machine site replication disaster recovery. | 
| Create Daily Backup Policy for RS Vault to protect IaaSVMs | This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. | 
| Create Recovery Services Vault and Enable Diagnostics | This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. | 
| Create Recovery Services Vault with backup policies | This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. | 
| Create Recovery Services Vault with default options | Simple template that creates a Recovery Services Vault. | 
| Create Weekly Backup Policy for RS Vault to protect IaaSVMs | This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. | 
| Deploy a Windows VM and enable backup using Azure Backup | This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. | 
ARM template resource definition
The vaults resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following JSON to your template.
{
  "type": "Microsoft.RecoveryServices/vaults",
  "apiVersion": "2025-02-01",
  "name": "string",
  "etag": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "encryption": {
      "infrastructureEncryption": "string",
      "kekIdentity": {
        "userAssignedIdentity": "string",
        "useSystemAssignedIdentity": "bool"
      },
      "keyVaultProperties": {
        "keyUri": "string"
      }
    },
    "monitoringSettings": {
      "azureMonitorAlertSettings": {
        "alertsForAllFailoverIssues": "string",
        "alertsForAllJobFailures": "string",
        "alertsForAllReplicationIssues": "string"
      },
      "classicAlertSettings": {
        "alertsForCriticalOperations": "string",
        "emailNotificationsForSiteRecovery": "string"
      }
    },
    "moveDetails": {
    },
    "publicNetworkAccess": "string",
    "redundancySettings": {
      "crossRegionRestore": "string",
      "standardTierStorageRedundancy": "string"
    },
    "resourceGuardOperationRequests": [ "string" ],
    "restoreSettings": {
      "crossSubscriptionRestoreSettings": {
        "crossSubscriptionRestoreState": "string"
      }
    },
    "securitySettings": {
      "immutabilitySettings": {
        "state": "string"
      },
      "softDeleteSettings": {
        "enhancedSecurityState": "string",
        "softDeleteRetentionPeriodInDays": "int",
        "softDeleteState": "string"
      },
      "sourceScanConfiguration": {
        "sourceScanIdentity": {
          "operationIdentityType": "string",
          "userAssignedIdentity": "string"
        },
        "state": "string"
      }
    },
    "upgradeDetails": {
    }
  },
  "sku": {
    "capacity": "string",
    "family": "string",
    "name": "string",
    "size": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.RecoveryServices/vaults
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2025-02-01' | 
| etag | etag for the resource. | string | 
| identity | Identity for the resource. | IdentityData | 
| location | The geo-location where the resource lives | string (required) | 
| name | The resource name | string (required) | 
| properties | Properties of the vault. | VaultProperties | 
| sku | Identifies the unique system identifier for each Azure resource. | Sku | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.RecoveryServices/vaults' | 
AssociatedIdentity
| Name | Description | Value | 
|---|---|---|
| operationIdentityType | Identity type that should be used for an operation. | 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentity | User assigned identity to be used for an operation if operationIdentityType is UserAssigned. | string | 
AzureMonitorAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForAllFailoverIssues | 'Disabled' 'Enabled' | |
| alertsForAllJobFailures | 'Disabled' 'Enabled' | |
| alertsForAllReplicationIssues | 'Disabled' 'Enabled' | 
ClassicAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForCriticalOperations | 'Disabled' 'Enabled' | |
| emailNotificationsForSiteRecovery | 'Disabled' 'Enabled' | 
CmkKekIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string | 
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool | 
CmkKeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string | 
CrossSubscriptionRestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreState | 'Disabled' 'Enabled' 'PermanentlyDisabled' | 
IdentityData
| Name | Description | Value | 
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | IdentityDataUserAssignedIdentities | 
IdentityDataUserAssignedIdentities
| Name | Description | Value | 
|---|
ImmutabilitySettings
| Name | Description | Value | 
|---|---|---|
| state | 'Disabled' 'Locked' 'Unlocked' | 
MonitoringSettings
| Name | Description | Value | 
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings | 
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings | 
RestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreSettings | Settings for CrossSubscriptionRestore | CrossSubscriptionRestoreSettings | 
SecuritySettings
| Name | Description | Value | 
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings | 
| softDeleteSettings | Soft delete Settings of a vault | SoftDeleteSettings | 
| sourceScanConfiguration | Source scan configuration of vault | SourceScanConfiguration | 
Sku
| Name | Description | Value | 
|---|---|---|
| capacity | The sku capacity | string | 
| family | The sku family | string | 
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | 'RS0' 'Standard' (required) | 
| size | The sku size | string | 
| tier | The Sku tier. | string | 
SoftDeleteSettings
| Name | Description | Value | 
|---|---|---|
| enhancedSecurityState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | |
| softDeleteRetentionPeriodInDays | Soft delete retention period in days | int | 
| softDeleteState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | 
SourceScanConfiguration
| Name | Description | Value | 
|---|---|---|
| sourceScanIdentity | Identity details to be used for an operation | AssociatedIdentity | 
| state | 'Disabled' 'Enabled' 'Invalid' | 
TrackedResourceTags
| Name | Description | Value | 
|---|
UpgradeDetails
| Name | Description | Value | 
|---|
UserIdentity
| Name | Description | Value | 
|---|
VaultProperties
| Name | Description | Value | 
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption | 
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings | 
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails | 
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | 'Disabled' 'Enabled' | 
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings | 
| resourceGuardOperationRequests | ResourceGuardOperationRequests on which LAC check will be performed | string[] | 
| restoreSettings | Restore Settings of the vault | RestoreSettings | 
| securitySettings | Security Settings of the vault | SecuritySettings | 
| upgradeDetails | Details for upgrading vault. | UpgradeDetails | 
VaultPropertiesEncryption
| Name | Description | Value | 
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | 'Disabled' 'Enabled' | 
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity | 
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties | 
VaultPropertiesMoveDetails
| Name | Description | Value | 
|---|
VaultPropertiesRedundancySettings
| Name | Description | Value | 
|---|---|---|
| crossRegionRestore | Flag to show if Cross Region Restore is enabled on the Vault or not | 'Disabled' 'Enabled' | 
| standardTierStorageRedundancy | The storage redundancy setting of a vault | 'GeoRedundant' 'Invalid' 'LocallyRedundant' 'ZoneRedundant' | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| Azure Backup for Workload in Azure Virtual Machines | This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection | 
| Backup existing File Share using Recovery Services (Daily) | This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. | 
| Backup existing File Share using Recovery Services (hourly) | This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. | 
| Backup Resource Manager VMs using Recovery Services vault | This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group | 
| Create a Recovery Services vault with advanced options | This template creates a Recovery Services vault that will be used further for Backup and Site Recovery. | 
| Create AVD with FSLogix and AD DS Join | This template allows you to create Azure Virtual Desktop resources such as host pool, application group, workspace, FSLogix storage account, file share, recovery service vault for file share backup a test session host, its extensions with Microsoft Entra ID join pr Active directory domain join. | 
| Create Azure VM Replication and Disaster Recovery | This template allows you to create Azure Virtual machine site replication disaster recovery. | 
| Create Daily Backup Policy for RS Vault to protect IaaSVMs | This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. | 
| Create Recovery Services Vault and Enable Diagnostics | This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. | 
| Create Recovery Services Vault with backup policies | This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. | 
| Create Recovery Services Vault with default options | Simple template that creates a Recovery Services Vault. | 
| Create Weekly Backup Policy for RS Vault to protect IaaSVMs | This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. | 
| Deploy a Windows VM and enable backup using Azure Backup | This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. | 
| IBM Cloud Pak for Data on Azure | This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. | 
| Openshift Container Platform 4.3 | Openshift Container Platform 4.3 | 
Terraform (AzAPI provider) resource definition
The vaults resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.RecoveryServices/vaults@2025-02-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    etag = "string"
    properties = {
      encryption = {
        infrastructureEncryption = "string"
        kekIdentity = {
          userAssignedIdentity = "string"
          useSystemAssignedIdentity = bool
        }
        keyVaultProperties = {
          keyUri = "string"
        }
      }
      monitoringSettings = {
        azureMonitorAlertSettings = {
          alertsForAllFailoverIssues = "string"
          alertsForAllJobFailures = "string"
          alertsForAllReplicationIssues = "string"
        }
        classicAlertSettings = {
          alertsForCriticalOperations = "string"
          emailNotificationsForSiteRecovery = "string"
        }
      }
      moveDetails = {
      }
      publicNetworkAccess = "string"
      redundancySettings = {
        crossRegionRestore = "string"
        standardTierStorageRedundancy = "string"
      }
      resourceGuardOperationRequests = [
        "string"
      ]
      restoreSettings = {
        crossSubscriptionRestoreSettings = {
          crossSubscriptionRestoreState = "string"
        }
      }
      securitySettings = {
        immutabilitySettings = {
          state = "string"
        }
        softDeleteSettings = {
          enhancedSecurityState = "string"
          softDeleteRetentionPeriodInDays = int
          softDeleteState = "string"
        }
        sourceScanConfiguration = {
          sourceScanIdentity = {
            operationIdentityType = "string"
            userAssignedIdentity = "string"
          }
          state = "string"
        }
      }
      upgradeDetails = {
      }
    }
    sku = {
      capacity = "string"
      family = "string"
      name = "string"
      size = "string"
      tier = "string"
    }
  }
}
Property Values
Microsoft.RecoveryServices/vaults
| Name | Description | Value | 
|---|---|---|
| etag | etag for the resource. | string | 
| identity | Identity for the resource. | IdentityData | 
| location | The geo-location where the resource lives | string (required) | 
| name | The resource name | string (required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | Properties of the vault. | VaultProperties | 
| sku | Identifies the unique system identifier for each Azure resource. | Sku | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.RecoveryServices/vaults@2025-02-01" | 
AssociatedIdentity
| Name | Description | Value | 
|---|---|---|
| operationIdentityType | Identity type that should be used for an operation. | 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentity | User assigned identity to be used for an operation if operationIdentityType is UserAssigned. | string | 
AzureMonitorAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForAllFailoverIssues | 'Disabled' 'Enabled' | |
| alertsForAllJobFailures | 'Disabled' 'Enabled' | |
| alertsForAllReplicationIssues | 'Disabled' 'Enabled' | 
ClassicAlertSettings
| Name | Description | Value | 
|---|---|---|
| alertsForCriticalOperations | 'Disabled' 'Enabled' | |
| emailNotificationsForSiteRecovery | 'Disabled' 'Enabled' | 
CmkKekIdentity
| Name | Description | Value | 
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string | 
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool | 
CmkKeyVaultProperties
| Name | Description | Value | 
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string | 
CrossSubscriptionRestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreState | 'Disabled' 'Enabled' 'PermanentlyDisabled' | 
IdentityData
| Name | Description | Value | 
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required) | 
| userAssignedIdentities | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | IdentityDataUserAssignedIdentities | 
IdentityDataUserAssignedIdentities
| Name | Description | Value | 
|---|
ImmutabilitySettings
| Name | Description | Value | 
|---|---|---|
| state | 'Disabled' 'Locked' 'Unlocked' | 
MonitoringSettings
| Name | Description | Value | 
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings | 
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings | 
RestoreSettings
| Name | Description | Value | 
|---|---|---|
| crossSubscriptionRestoreSettings | Settings for CrossSubscriptionRestore | CrossSubscriptionRestoreSettings | 
SecuritySettings
| Name | Description | Value | 
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings | 
| softDeleteSettings | Soft delete Settings of a vault | SoftDeleteSettings | 
| sourceScanConfiguration | Source scan configuration of vault | SourceScanConfiguration | 
Sku
| Name | Description | Value | 
|---|---|---|
| capacity | The sku capacity | string | 
| family | The sku family | string | 
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | 'RS0' 'Standard' (required) | 
| size | The sku size | string | 
| tier | The Sku tier. | string | 
SoftDeleteSettings
| Name | Description | Value | 
|---|---|---|
| enhancedSecurityState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | |
| softDeleteRetentionPeriodInDays | Soft delete retention period in days | int | 
| softDeleteState | 'AlwaysON' 'Disabled' 'Enabled' 'Invalid' | 
SourceScanConfiguration
| Name | Description | Value | 
|---|---|---|
| sourceScanIdentity | Identity details to be used for an operation | AssociatedIdentity | 
| state | 'Disabled' 'Enabled' 'Invalid' | 
TrackedResourceTags
| Name | Description | Value | 
|---|
UpgradeDetails
| Name | Description | Value | 
|---|
UserIdentity
| Name | Description | Value | 
|---|
VaultProperties
| Name | Description | Value | 
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption | 
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings | 
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails | 
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | 'Disabled' 'Enabled' | 
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings | 
| resourceGuardOperationRequests | ResourceGuardOperationRequests on which LAC check will be performed | string[] | 
| restoreSettings | Restore Settings of the vault | RestoreSettings | 
| securitySettings | Security Settings of the vault | SecuritySettings | 
| upgradeDetails | Details for upgrading vault. | UpgradeDetails | 
VaultPropertiesEncryption
| Name | Description | Value | 
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | 'Disabled' 'Enabled' | 
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity | 
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties | 
VaultPropertiesMoveDetails
| Name | Description | Value | 
|---|
VaultPropertiesRedundancySettings
| Name | Description | Value | 
|---|---|---|
| crossRegionRestore | Flag to show if Cross Region Restore is enabled on the Vault or not | 'Disabled' 'Enabled' | 
| standardTierStorageRedundancy | The storage redundancy setting of a vault | 'GeoRedundant' 'Invalid' 'LocallyRedundant' 'ZoneRedundant' | 
Usage Examples
Terraform Samples
A basic example of deploying Recovery Services Vault.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}
resource "azapi_resource" "vault" {
  type      = "Microsoft.RecoveryServices/vaults@2022-10-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      publicNetworkAccess = "Enabled"
    }
    sku = {
      name = "Standard"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Recovery Services Vault | AVM Resource Module for Recovery Services Vault |