feat(azurebackup): Add security configure-mua command for Multi-User Authorization

Add azurebackup security configure-mua command that enables/disables
Multi-User Authorization (MUA) on Recovery Services vaults and Backup
vaults by linking/unlinking a Resource Guard.

- Enable MUA: provide --resource-guard-id to link a Resource Guard
- Disable MUA: omit --resource-guard-id to unlink (protected operation)
- Supports both RSV (VaultProxy) and DPP (DppResourceGuardProxy)
- Auto-detects vault type when --vault-type is omitted
- Proper error handling for 400/403/404/409 scenarios

Files: 16 changed, ~1200 lines added
Tests: 22 unit tests, 5 live tests (recorded + playback)
Validation: Cspell clean, ToolDescriptionEvaluator passed

Author: shrja-ms

servers/Azure.Mcp.Server/changelog-entries/1777562845809.yaml

@@ -0,0 +1,3 @@
+changes:
+  - section: "New Features"
+    description: "Added `azurebackup security configure-mua` command to enable/disable Multi-User Authorization (MUA) on Recovery Services vaults and Backup vaults by linking/unlinking a Resource Guard."

servers/Azure.Mcp.Server/docs/azmcp-commands.md

@@ -949,6 +949,19 @@ azmcp azurebackup disasterrecovery enable-crr --subscription <subscription> \
                                               [--vault-type <vault-type>]
 ```
 
+#### Security
+
+```bash
+# Configures Multi-User Authorization (MUA) on a vault by linking or unlinking a Resource Guard.
+# Provide --resource-guard-id to enable MUA. Omit to disable MUA (protected operation).
+# ✅ Destructive | ✅ Idempotent | ❌ OpenWorld | ❌ ReadOnly | ❌ Secret | ❌ LocalRequired
+azmcp azurebackup security configure-mua --subscription <subscription> \
+                                         --resource-group <resource-group> \
+                                         --vault <vault> \
+                                         [--vault-type <vault-type>] \
+                                         [--resource-guard-id <resource-guard-id>]
+```
+
 ### Azure CLI Operations
 
 #### Generate

servers/Azure.Mcp.Server/docs/e2eTestPrompts.md

@@ -158,6 +158,8 @@ This file contains prompts used for end-to-end testing to ensure each tool is in
 | azurebackup_protecteditem_undelete | Undelete the accidentally deleted backup for VM <datasource_id> in vault <vault_name> under resource group <resource_group> |
 | azurebackup_recoverypoint_get | Get recovery points for protected item <item_name> in vault <vault_name> and resource group <resource_group> |
 | azurebackup_recoverypoint_get | List available recovery points for <item_name> in vault <vault_name> under resource group <resource_group> |
+| azurebackup_security_configure-mua | Enable multi-user authorization on vault <vault_name> in resource group <resource_group> with resource guard <resource_guard_id> |
+| azurebackup_security_configure-mua | Disable MUA on vault <vault_name> in resource group <resource_group> |
 | azurebackup_vault_create | Create a Recovery Services vault named <vault_name> in resource group <resource_group> in region <location> with vault-type 'rsv' |
 | azurebackup_vault_create | Set up a new backup vault called <vault_name> in <location> under resource group <resource_group> with vault-type 'dpp' |
 | azurebackup_vault_get | Get details of Recovery Services vault <vault_name> in resource group <resource_group> |

servers/Azure.Mcp.Server/src/Resources/consolidated-tools.json

@@ -3805,7 +3805,8 @@
         "azurebackup_governance_immutability",
         "azurebackup_governance_soft-delete",
         "azurebackup_disasterrecovery_enable-crr",
-        "azurebackup_protecteditem_undelete"
+        "azurebackup_protecteditem_undelete",
+        "azurebackup_security_configure-mua"
       ]
     },
     {

tools/Azure.Mcp.Tools.AzureBackup/src/AzureBackupSetup.cs

@@ -9,6 +9,7 @@
 using Azure.Mcp.Tools.AzureBackup.Commands.ProtectableItem;
 using Azure.Mcp.Tools.AzureBackup.Commands.ProtectedItem;
 using Azure.Mcp.Tools.AzureBackup.Commands.RecoveryPoint;
+using Azure.Mcp.Tools.AzureBackup.Commands.Security;
 using Azure.Mcp.Tools.AzureBackup.Commands.Vault;
 using Azure.Mcp.Tools.AzureBackup.Services;
 using Microsoft.Extensions.DependencyInjection;
@@ -53,6 +54,8 @@ public void ConfigureServices(IServiceCollection services)
         services.AddSingleton<GovernanceSoftDeleteCommand>();
 
         services.AddSingleton<DisasterRecoveryEnableCrrCommand>();
+
+        services.AddSingleton<SecurityConfigureMuaCommand>();
     }
 
     public CommandGroup RegisterCommands(IServiceProvider serviceProvider)
@@ -109,6 +112,10 @@ and Backup vaults (DPP/Data Protection). Supports vault management, protected it
         azureBackup.AddSubGroup(disasterrecovery);
         disasterrecovery.AddCommand<DisasterRecoveryEnableCrrCommand>(serviceProvider);
 
+        var security = new CommandGroup("security", "Security operations - Configure Multi-User Authorization (MUA) for backup vaults.");
+        azureBackup.AddSubGroup(security);
+        security.AddCommand<SecurityConfigureMuaCommand>(serviceProvider);
+
         return azureBackup;
     }
 }

tools/Azure.Mcp.Tools.AzureBackup/src/Commands/AzureBackupJsonContext.cs

@@ -11,6 +11,7 @@
 using Azure.Mcp.Tools.AzureBackup.Commands.ProtectableItem;
 using Azure.Mcp.Tools.AzureBackup.Commands.ProtectedItem;
 using Azure.Mcp.Tools.AzureBackup.Commands.RecoveryPoint;
+using Azure.Mcp.Tools.AzureBackup.Commands.Security;
 using Azure.Mcp.Tools.AzureBackup.Commands.Vault;
 using Azure.Mcp.Tools.AzureBackup.Models;
 
@@ -32,6 +33,7 @@ namespace Azure.Mcp.Tools.AzureBackup.Commands;
 [JsonSerializable(typeof(GovernanceImmutabilityCommand.GovernanceImmutabilityCommandResult))]
 [JsonSerializable(typeof(GovernanceSoftDeleteCommand.GovernanceSoftDeleteCommandResult))]
 [JsonSerializable(typeof(DisasterRecoveryEnableCrrCommand.DisasterRecoveryEnableCrrCommandResult))]
+[JsonSerializable(typeof(SecurityConfigureMuaCommand.SecurityConfigureMuaCommandResult))]
 [JsonSerializable(typeof(BackupVaultInfo))]
 [JsonSerializable(typeof(ProtectedItemInfo))]
 [JsonSerializable(typeof(BackupPolicyInfo))]

tools/Azure.Mcp.Tools.AzureBackup/src/Commands/Security/SecurityConfigureMuaCommand.cs

@@ -0,0 +1,141 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Net;
+using Azure.Mcp.Tools.AzureBackup.Models;
+using Azure.Mcp.Tools.AzureBackup.Options;
+using Azure.Mcp.Tools.AzureBackup.Options.Security;
+using Azure.Mcp.Tools.AzureBackup.Services;
+using Microsoft.Extensions.Logging;
+using Microsoft.Mcp.Core.Commands;
+using Microsoft.Mcp.Core.Extensions;
+using Microsoft.Mcp.Core.Models.Command;
+
+namespace Azure.Mcp.Tools.AzureBackup.Commands.Security;
+
+[CommandMetadata(
+    Id = "c3a21f68-9b5e-4d1a-bf3c-7e2a0f8d4b19",
+    Name = "configure-mua",
+    Title = "Configure Multi-User Authorization",
+    Description = """
+        Configures Multi-User Authorization (MUA) on a vault by linking or unlinking a Resource Guard.
+        Provide --resource-guard-id to enable MUA, protecting critical operations (disable soft delete,
+        remove immutability, stop protection) so they require approval from a security admin with
+        permissions on the Resource Guard. Omit --resource-guard-id to disable MUA (this itself is a
+        protected operation requiring Backup MUA Operator role on the Resource Guard).
+        """,
+    Destructive = true,
+    Idempotent = true,
+    OpenWorld = false,
+    ReadOnly = false,
+    Secret = false,
+    LocalRequired = false)]
+public sealed class SecurityConfigureMuaCommand(ILogger<SecurityConfigureMuaCommand> logger, IAzureBackupService azureBackupService) : BaseAzureBackupCommand<SecurityConfigureMuaOptions>()
+{
+    private readonly ILogger<SecurityConfigureMuaCommand> _logger = logger;
+    private readonly IAzureBackupService _azureBackupService = azureBackupService;
+
+    protected override void RegisterOptions(Command command)
+    {
+        base.RegisterOptions(command);
+        command.Options.Add(AzureBackupOptionDefinitions.ResourceGuardId);
+        command.Validators.Add(commandResult =>
+        {
+            if (commandResult.HasOptionResult(AzureBackupOptionDefinitions.ResourceGuardId.Name))
+            {
+                var value = commandResult.GetValue<string>(AzureBackupOptionDefinitions.ResourceGuardId.Name);
+                if (!string.IsNullOrEmpty(value) &&
+                    !value.StartsWith("/subscriptions/", StringComparison.OrdinalIgnoreCase))
+                {
+                    commandResult.AddError("--resource-guard-id must be a valid ARM resource ID starting with '/subscriptions/'.");
+                }
+            }
+        });
+    }
+
+    protected override SecurityConfigureMuaOptions BindOptions(ParseResult parseResult)
+    {
+        var options = base.BindOptions(parseResult);
+        options.ResourceGuardId = parseResult.GetValueOrDefault<string>(AzureBackupOptionDefinitions.ResourceGuardId.Name);
+        return options;
+    }
+
+    public override async Task<CommandResponse> ExecuteAsync(CommandContext context, ParseResult parseResult, CancellationToken cancellationToken)
+    {
+        if (!Validate(parseResult.CommandResult, context.Response).IsValid)
+        {
+            return context.Response;
+        }
+
+        var options = BindOptions(parseResult);
+
+        AzureBackupTelemetryTags.AddVaultTags(context.Activity, options.VaultType);
+
+        try
+        {
+            OperationResult result;
+
+            if (!string.IsNullOrEmpty(options.ResourceGuardId))
+            {
+                result = await _azureBackupService.ConfigureMultiUserAuthorizationAsync(
+                    options.Vault!,
+                    options.ResourceGroup!,
+                    options.Subscription!,
+                    options.ResourceGuardId,
+                    options.VaultType,
+                    options.Tenant,
+                    options.RetryPolicy,
+                    cancellationToken);
+            }
+            else
+            {
+                result = await _azureBackupService.DisableMultiUserAuthorizationAsync(
+                    options.Vault!,
+                    options.ResourceGroup!,
+                    options.Subscription!,
+                    options.VaultType,
+                    options.Tenant,
+                    options.RetryPolicy,
+                    cancellationToken);
+            }
+
+            context.Response.Results = ResponseResult.Create(
+                new(result),
+                AzureBackupJsonContext.Default.SecurityConfigureMuaCommandResult);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Error configuring MUA. Vault: {Vault}, ResourceGuardId: {ResourceGuardId}",
+                options.Vault, options.ResourceGuardId);
+            HandleException(context, ex);
+        }
+
+        return context.Response;
+    }
+
+    protected override string GetErrorMessage(Exception ex) => ex switch
+    {
+        ArgumentException argEx => argEx.Message,
+        UnauthorizedAccessException => "Authorization failed. Verify your RBAC permissions on the vault, or specify --vault-type to skip auto-detection.",
+        RequestFailedException reqEx when reqEx.Status == (int)HttpStatusCode.NotFound =>
+            "Vault or Resource Guard not found, or MUA is not enabled for this vault. Verify the vault name, resource group, and Resource Guard ID. If you are disabling MUA, ensure MUA is currently configured.",
+        RequestFailedException reqEx when reqEx.Status == (int)HttpStatusCode.BadRequest =>
+            $"Bad request configuring MUA. Ensure the Resource Guard is in the same region as the vault. Details: {reqEx.Message}",
+        RequestFailedException reqEx when reqEx.Status == (int)HttpStatusCode.Forbidden =>
+            $"Authorization failed. To enable MUA, you need Reader role on the Resource Guard. To disable MUA, you need Backup MUA Operator role on the Resource Guard. Details: {reqEx.Message}",
+        RequestFailedException reqEx when reqEx.Status == (int)HttpStatusCode.Conflict =>
+            "MUA configuration conflict. The vault may already have a Resource Guard linked, or the operation is blocked by the current MUA configuration.",
+        RequestFailedException reqEx => reqEx.Message,
+        _ => base.GetErrorMessage(ex)
+    };
+
+    protected override HttpStatusCode GetStatusCode(Exception ex) => ex switch
+    {
+        UnauthorizedAccessException => HttpStatusCode.Forbidden,
+        ArgumentException or FormatException => HttpStatusCode.BadRequest,
+        RequestFailedException reqEx => (HttpStatusCode)reqEx.Status,
+        _ => base.GetStatusCode(ex)
+    };
+
+    internal record SecurityConfigureMuaCommandResult(OperationResult Result);
+}

tools/Azure.Mcp.Tools.AzureBackup/src/Options/AzureBackupOptionDefinitions.cs

@@ -29,6 +29,7 @@ public static class AzureBackupOptionDefinitions
     public const string VmResourceIdName = "vm-resource-id";
     public const string ResourceTypeFilterName = "resource-type-filter";
     public const string TagFilterName = "tag-filter";
+    public const string ResourceGuardIdName = "resource-guard-id";
 
     public static readonly Option<string> Vault = new($"--{VaultName}")
     {
@@ -173,4 +174,10 @@ public static class AzureBackupOptionDefinitions
         Description = "Tag-based filter in key=value format (e.g., 'environment=production').",
         Required = false
     };
+
+    public static readonly Option<string> ResourceGuardId = new($"--{ResourceGuardIdName}")
+    {
+        Description = "ARM resource ID of the Resource Guard to link for Multi-User Authorization (e.g., '/subscriptions/.../resourceGroups/.../providers/Microsoft.DataProtection/resourceGuards/myGuard').",
+        Required = false
+    };
 }

tools/Azure.Mcp.Tools.AzureBackup/src/Options/Security/SecurityConfigureMuaOptions.cs

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace Azure.Mcp.Tools.AzureBackup.Options.Security;
+
+public class SecurityConfigureMuaOptions : BaseAzureBackupOptions
+{
+    [JsonPropertyName(AzureBackupOptionDefinitions.ResourceGuardIdName)]
+    public string? ResourceGuardId { get; set; }
+}

tools/Azure.Mcp.Tools.AzureBackup/src/Services/AzureBackupService.cs

@@ -645,6 +645,29 @@ public async Task<OperationResult> ConfigureCrossRegionRestoreAsync(
         return await dppOps.ConfigureCrossRegionRestoreAsync(vaultName, resourceGroup, subscription, tenant, retryPolicy, cancellationToken);
     }
 
+    public async Task<OperationResult> ConfigureMultiUserAuthorizationAsync(
+        string vaultName, string resourceGroup, string subscription,
+        string resourceGuardId, string? vaultType, string? tenant,
+        RetryPolicyOptions? retryPolicy, CancellationToken cancellationToken)
+    {
+        var resolved = await ResolveVaultTypeAsync(vaultName, resourceGroup, subscription, vaultType, tenant, retryPolicy, cancellationToken);
+        return VaultTypeResolver.IsRsv(resolved)
+            ? await rsvOps.ConfigureMultiUserAuthorizationAsync(vaultName, resourceGroup, subscription, resourceGuardId, tenant, retryPolicy, cancellationToken)
+            : await dppOps.ConfigureMultiUserAuthorizationAsync(vaultName, resourceGroup, subscription, resourceGuardId, tenant, retryPolicy, cancellationToken);
+    }
+
+    public async Task<OperationResult> DisableMultiUserAuthorizationAsync(
+        string vaultName, string resourceGroup, string subscription,
+        string? vaultType, string? tenant,
+        RetryPolicyOptions? retryPolicy, CancellationToken cancellationToken)
+    {
+        var resolved = await ResolveVaultTypeAsync(vaultName, resourceGroup, subscription, vaultType, tenant, retryPolicy, cancellationToken);
+        return VaultTypeResolver.IsRsv(resolved)
+            ? await rsvOps.DisableMultiUserAuthorizationAsync(vaultName, resourceGroup, subscription, tenant, retryPolicy, cancellationToken)
+            : await dppOps.DisableMultiUserAuthorizationAsync(vaultName, resourceGroup, subscription, tenant, retryPolicy, cancellationToken);
+    }
+
+
     private async Task<string> ResolveVaultTypeAsync(
         string vaultName, string resourceGroup, string subscription,
         string? vaultType, string? tenant,