feat(azurebackup): Add security configure-mua command for Multi-User Authorization

[shrja-ms]

Summary

Adds azurebackup security configure-mua command that enables/disables Multi-User Authorization (MUA) on Recovery Services vaults and Backup vaults by linking/unlinking a Resource Guard.

Changes

New Command: azurebackup security configure-mua

• Enable MUA: Provide --resource-guard-id to link a Resource Guard to the vault
• Disable MUA: Omit --resource-guard-id to unlink (this is itself a protected operation requiring Backup MUA Operator role)
• Supports both RSV (VaultProxy) and DPP (DppResourceGuardProxy) vault types
• Auto-detects vault type when --vault-type is omitted
• Uses the new [CommandMetadata] attribute pattern
• ARM ID validation on --resource-guard-id
• GetStatusCode override for proper 403/400 mapping

Files Changed (15 files, ~895 lines)

Category	Files
Command	SecurityConfigureMuaCommand.cs (new), SecurityConfigureMuaOptions.cs (new)
Service	IAzureBackupService.cs, AzureBackupService.cs, IRsvBackupOperations.cs, RsvBackupOperations.cs, IDppBackupOperations.cs, DppBackupOperations.cs
Registration	AzureBackupSetup.cs, AzureBackupJsonContext.cs, AzureBackupOptionDefinitions.cs
Unit Tests	SecurityConfigureMuaCommandTests.cs (22 tests)
Live Tests	AzureBackupCommandTests.cs (5 MUA tests), assets.json

Validation

• dotnet build — 0 errors, 0 warnings
• Unit tests — 30/30 passed (22 MUA + 8 setup)
• Live tests — 5/5 passed (Record + Playback)
• Cspell — clean
• ToolDescriptionEvaluator — passed (86.3% top choice)
• [CommandMetadata] attribute pattern (per Refactor remaining Azure commands to the CommandMetadata attribute #2537)

Manual Test Cases (click to expand)

Manual Test Cases: azurebackup security configure-mua

Prerequisites

1. Two test vaults deployed (one RSV, one DPP/Backup Vault) in the same region
2. A Resource Guard deployed in the same region (ideally in a separate subscription)
3. Reader role on the Resource Guard assigned to the test principal
4. Backup Contributor on both vaults
5. Local MCP server running: azmcp server start

Environment Variables

$sub = "<your-subscription-id>"
$rg = "<vault-resource-group>"
$rsvVault = "<rsv-vault-name>"
$dppVault = "<dpp-vault-name>"
$guardId = "/subscriptions/<guard-sub>/resourceGroups/<guard-rg>/providers/Microsoft.DataProtection/resourceGuards/<guard-name>"

---

Test Matrix

#	Dimension	Vault Type	Operation	Expected
1	Enable MUA	RSV	with --resource-guard-id	Succeeded
2	Enable MUA	DPP	with --resource-guard-id + --vault-type dpp	Succeeded
3	Disable MUA	RSV	without --resource-guard-id	Succeeded (if MUA was enabled)
4	Disable MUA	DPP	without --resource-guard-id + --vault-type dpp	Succeeded (if MUA was enabled)
5	Auto-detect	RSV	no --vault-type	Auto-detects RSV, succeeds
6	Auto-detect	DPP	no --vault-type	Auto-detects DPP, succeeds
7	Invalid vault-type	N/A	--vault-type invalid	400 Bad Request
8	Missing vault	RSV	non-existent vault name	404 Not Found
9	No Reader role	RSV	enable without Reader on guard	403 Forbidden
10	Disable without MUA	RSV	disable when not enabled	404 (no VaultProxy)
11	Re-enable (idempotent)	RSV	enable when already enabled	Succeeded (idempotent CreateOrUpdate)
12	Enable MUA	DPP	without --vault-type (auto-detect)	Succeeded

---

Detailed Test Steps

TC-1: Enable MUA on RSV vault

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --resource-guard-id <guardId>

Expected: status = "Succeeded", message contains "Multi-User Authorization enabled"
Verify in Portal: Vault > Properties > Multi-User Authorization shows Resource Guard linked

TC-2: Enable MUA on DPP vault (explicit vault-type)

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <dppVault>
  --vault-type dpp
  --resource-guard-id <guardId>

Expected: status = "Succeeded"
Verify in Portal: Backup vault > Properties > Multi-User Authorization shows linked

TC-3: Disable MUA on RSV vault (requires Backup MUA Operator role)

Pre-condition: TC-1 passed, MUA is enabled on RSV vault
Pre-condition: Test principal has Backup MUA Operator role on Resource Guard

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>

Expected: status = "Succeeded", message contains "disabled"
Verify in Portal: Vault > Properties > Multi-User Authorization shows "Not configured"

TC-4: Disable MUA on DPP vault

Pre-condition: TC-2 passed, MUA is enabled on DPP vault
Pre-condition: Test principal has Backup MUA Operator role on Resource Guard

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <dppVault>
  --vault-type dpp

Expected: status = "Succeeded"

TC-5: Auto-detect RSV vault type

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --resource-guard-id <guardId>
  (no --vault-type)

Expected: Auto-detects RSV, status = "Succeeded"

TC-6: Auto-detect DPP vault type

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <dppVault>
  --resource-guard-id <guardId>
  (no --vault-type)

Expected: Auto-detects DPP, status = "Succeeded"

TC-7: Invalid vault-type

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --vault-type invalid

Expected: 400 Bad Request, message contains "--vault-type must be 'rsv' or 'dpp'"

TC-8: Non-existent vault

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault nonexistent-vault-12345
  --vault-type rsv
  --resource-guard-id <guardId>

Expected: 404 Not Found, message contains "not found"

TC-9: Missing Reader role on Resource Guard

Pre-condition: Test principal does NOT have Reader on the Resource Guard

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --resource-guard-id <guardId>

Expected: 403 Forbidden, message contains "Authorization failed" and mentions Reader role

TC-10: Disable MUA when not enabled

Pre-condition: MUA is NOT enabled on the vault (no VaultProxy exists)

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --vault-type rsv

Expected: 404 Not Found, message mentions vault or Resource Guard not found

TC-11: Re-enable MUA (idempotent)

Pre-condition: TC-1 passed, MUA is already enabled

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <rsvVault>
  --resource-guard-id <guardId>

Expected: status = "Succeeded" (CreateOrUpdate is idempotent)

TC-12: Enable MUA on DPP with auto-detect

Tool: azurebackup_security_configure-mua
Parameters:
  --subscription <sub>
  --resource-group <rg>
  --vault <dppVault>
  --resource-guard-id <guardId>
  (no --vault-type)

Expected: Auto-detects DPP, status = "Succeeded"

---

Cross-Region Validation

Scenario	Expected
Resource Guard and vault in same region	Succeeds
Resource Guard and vault in different regions	400 Bad Request — region mismatch

---

Response Schema Validation

Every successful response must match:

{
  "result": {
    "status": "Succeeded",
    "jobId": null,
    "message": "Multi-User Authorization enabled on vault '...' with Resource Guard '...'."
  }
}

For disable:

{
  "result": {
    "status": "Succeeded",
    "jobId": null,
    "message": "Multi-User Authorization disabled on vault '...'."
  }
}

---

Portal Verification Steps

After enabling MUA:

1. Go to Recovery Services vault > Properties > Multi-User Authorization
2. Verify it shows the linked Resource Guard name and ARM ID
3. Try a protected operation (e.g., disable soft delete) — it should require approval

After disabling MUA:

1. Verify Multi-User Authorization shows "Not configured"
2. Protected operations should no longer require approval

Invoking Livetests

Copilot submitted PRs are not trustworthy by default. Users with write access to the repo need to validate the contents of this PR before leaving a comment with the text /azp run mcp - pullrequest - live. This will trigger the necessary livetest workflows to complete required validation.

[Copilot]

Pull request overview

Adds a new AzureBackup security command to configure Multi-User Authorization (MUA) for both Recovery Services vaults (RSV) and Data Protection/Backup vaults (DPP) by linking/unlinking a Resource Guard, along with supporting service-layer operations and test coverage.

Changes:

• Introduces azurebackup security configure-mua command + options and JSON source-gen support.
• Adds MUA enable/disable operations to AzureBackup service surface and RSV/DPP operation implementations.
• Adds unit tests, recorded live tests, and a manual test plan for MUA scenarios.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tools/Azure.Mcp.Tools.AzureBackup/tests/manual-test-mua.md	New manual test matrix and detailed steps for MUA enable/disable and validation.
tools/Azure.Mcp.Tools.AzureBackup/tests/Azure.Mcp.Tools.AzureBackup.UnitTests/Security/SecurityConfigureMuaCommandTests.cs	New unit tests covering routing, error handling, and response serialization for configure-mua.
tools/Azure.Mcp.Tools.AzureBackup/tests/Azure.Mcp.Tools.AzureBackup.UnitTests/AzureBackupSetupTests.cs	Updates subgroup expectations to include security (but drops an existing protected item command assertion).
tools/Azure.Mcp.Tools.AzureBackup/tests/Azure.Mcp.Tools.AzureBackup.LiveTests/assets.json	Updates recorded test assets tag.
tools/Azure.Mcp.Tools.AzureBackup/tests/Azure.Mcp.Tools.AzureBackup.LiveTests/AzureBackupCommandTests.cs	Adds live tests for RSV/DPP MUA enable/disable + explicit vault-type routing.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/RsvBackupOperations.cs	Adds RSV implementation for linking/unlinking Resource Guard proxy for MUA.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/IRsvBackupOperations.cs	Extends RSV operations interface with MUA methods.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/IDppBackupOperations.cs	Extends DPP operations interface with MUA methods.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/IAzureBackupService.cs	Extends public service interface with MUA configure/disable APIs.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/DppBackupOperations.cs	Adds DPP implementation for linking/unlinking Resource Guard proxy for MUA.
tools/Azure.Mcp.Tools.AzureBackup/src/Services/AzureBackupService.cs	Routes MUA calls to RSV vs DPP based on resolved vault type.
tools/Azure.Mcp.Tools.AzureBackup/src/Options/Security/SecurityConfigureMuaOptions.cs	Adds options model for --resource-guard-id.
tools/Azure.Mcp.Tools.AzureBackup/src/Options/AzureBackupOptionDefinitions.cs	Adds --resource-guard-id option definition.
tools/Azure.Mcp.Tools.AzureBackup/src/Commands/Security/SecurityConfigureMuaCommand.cs	New command implementation + error message mapping + response schema wrapper.
tools/Azure.Mcp.Tools.AzureBackup/src/Commands/AzureBackupJsonContext.cs	Registers new command result type for System.Text.Json source generation.
tools/Azure.Mcp.Tools.AzureBackup/src/AzureBackupSetup.cs	Registers the new security subgroup and configure-mua command.

[jongio]

Straightforward new command following the existing AzureBackup patterns. Enable/disable routing, vault-type auto-detection, error handling, and test coverage all look correct.

A few items to address before merge:

1. Missing telemetry - SecurityConfigureMuaCommand.ExecuteAsync doesn't call AzureBackupTelemetryTags.AddVaultTags(context.Activity, options.VaultType). Every other command in this toolset does this before the try block. Without it, MUA operations won't show up in vault-type telemetry breakdowns.

2. Missing azmcp-commands.md entry - The new azurebackup security configure-mua command needs a section in servers/Azure.Mcp.Server/docs/azmcp-commands.md with usage and parameter docs. See the azurebackup disasterrecovery enable-crr section for the pattern.

3. Missing e2eTestPrompts.md entry - Add test prompts for the new command in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md. Something like "Enable multi-user authorization on vault X in resource group Y" and "Disable MUA on vault X".

4. Missing changelog entry - New feature commands should have a changelog entry YAML file under servers/Azure.Mcp.Server/changelog-entries/. See docs/changelog-entries.md for the format.