ACSC Essential 8 Microsoft Cloud VDI Azure Virtual Desktop (AVD) Windows 365 (W365) Security & Compliance

Implementing Essential 8 Maturity Level 2 in Microsoft Cloud VDI (AVD & W365) – Regular Backups

Keeping Azure Virtual Desktop and Windows 365 recoverable, even when the beans go bad

A good cold brew is all about preparation and patience. You steep it overnight, untouched, so it’s ready when the temperature rises. Backups are no different they only matter when things go wrong, but they’re useless if not carefully prepared.

In Azure Virtual Desktop (AVD) or Windows 365 (W365), solid backup practices are what transform a simple outage into a quick recovery.

What is “Backups”?

Under the ACSC Essential 8, the Backup control is all about resilience: being able to recover critical systems, data, and configurations after a breach, ransomware event, or mistake.

For Maturity Level 2, backups must:

  • Run automatically and be retained per business criticality
  • Be synchronised for consistent point‑in‑time recovery
  • Be stored securely and tested regularly
  • Be protected against unauthorised modification or deletion

In short — a working recovery plan with provable isolation and integrity.

How It Works in Cloud VDI

Azure Virtual Desktop (AVD)

AVD operates across several Azure layers:

  • User profiles and data – FSLogix containers stored in Azure Files or Azure NetApp Files
  • Session hosts – Azure Compute virtual machines
  • Configuration definitions – ARM or Bicep templates, PowerShell
  • Dependent services – Azure SQL, Key Vault, or Azure Storage

Backups apply differently at each layer:

  • Protect Azure Files with Azure Backup or NetApp volume snapshots.
  • Back up session‑host VMs using Recovery Services Vaults. In multi‑host designs, use gold‑image version control rather than backing up each instance.
  • Store all Infrastructure‑as‑Code (Bicep, ARM, JSON) in version‑controlled repositories to allow environment rebuilds at short notice.

Backups for AVD environments should also use immutable Recovery Services Vaults with Geo‑Redundant Storage (GRS) enabled to deliver true ML2‑grade resilience.

Windows 365 (W365) and Microsoft 365 Data Protection

Windows 365 abstracts almost all infrastructure layers, leaving Microsoft 365 to manage user data protection. In this model, your ability to restore depends on the native data‑protection features built into the Microsoft 365 stack.

What Microsoft provides:

  • OneDrive for Business: Version history, 30‑day file restore, and a 93‑day recycle bin.
  • SharePoint Online: Dual‑stage recycle bins retained for 93 days, and library versioning.
  • Exchange Online: Item‑level recovery and deleted‑item retention (default 30 days, extendable), underpinned by database‑level replication and availability groups.
  • Platform replication: Microsoft maintains multi‑region replication for service continuity and platform‑level resilience.

These measures support availability, limited retention, and short‑term recovery, but do not fully meet Essential 8 ML2 requirements. Microsoft’s protection model is designed for service continuity, not for tenant‑controlled backup. You cannot make data immutable, restore a complete site at will, or isolate copies from the production tenancy.

To close this compliance gap, many organisations deploy cloud‑to‑cloud backup solutions such as ConnectWise M365 Backup (formerly SkyKick) or Veeam Backup for M365. These tools:

  • Keep independent, immutable copies of OneDrive, SharePoint, and Exchange data.
  • Offer region‑specific replication and flexible retention schedules.
  • Support granular, point‑in‑time recovery aligned to business and compliance objectives.

Using third‑party M365 backups moves tenant data under your administrative control the critical step needed to achieve ML2 alignment for Microsoft 365 workloads supporting W365 users.

Immutable Backups – Hands Off, Locked Tight

Immutable backups are those that cannot be modified or deleted until their retention period ends. In Azure this is delivered using Immutable Vaults.

Why it matters:

  • Stops ransomware dead — even compromised credentials can’t alter or remove stored copies.
  • Eliminates insider tampering — backup and platform admins can’t purge protected data.
  • Supports audit and compliance — the vault enforces evidence of retention integrity.

Once locked, backups remain intact until the specified retention period ends — the digital equivalent of sealing a litre of cold brew and labelling it hands off until morning.

Backup Resiliency with Geo‑Redundancy

Resilient backups survive not just tampering but regional disasters.
Setting your Recovery Services Vault to Geo‑Redundant Storage (GRS) replicates backup data to a paired Azure region.

When enabled:

  • Backups are written to both primary and secondary regions.
  • In a regional outage, Microsoft can initiate recovery from the secondary region.
  • Combined with immutability, this provides both off‑site protection and change‑proof retention — ideal for ML2 compliance.

Portal path:

  1. Open your Recovery Services Vault
  2. Under Properties → Backup Configuration, select Geo‑Redundant Storage
  3. Ensure Soft Delete and Immutable Vault are both enabled

Implementation Flow

flowchart TD AVD[Azure Virtual Desktop] --> FS["FSLogix Containers - Azure Files"] FS --> Vault["Recovery Services Vault (Immutable + GRS)"] Vault --> TestRestore["Tested Restore / DR Exercise"] subgraph M365 [Windows 365 + Microsoft 365] U1[Cloud PC Users] --> OD["OneDrive / SharePoint / Exchange Online"] OD --> Protect["Microsoft Data Protection - Versioning, Retention"] Protect --> Backup3P["Optional Tenant-Controlled Backup Platform (e.g. ConnectWise M365 Backup)"] end

Real‑World Impact

Immutable and geo‑resilient backups bring calm to otherwise chaotic recovery moments. Without them, ransomware or an administrator’s mis‑click could erase both production and recovery data in an instant.

A properly designed plan:

  • Enables rapid, point‑in‑time recovery from isolated data copies
  • Provides cross‑region durability for continuity
  • Defends against insider and external tampering
  • Demonstrates tested, auditable control for compliance

For AVD and W365 alike, that’s the difference between a minor outage and a week of downtime.

Best Practices

  • Enable Immutable Vaults with GRS for all AVD critical file shares and backup vaults.
  • Activate Soft Delete to guard against unexpected purge operations.
  • Tighten RBAC on Recovery Services Vaults; restrict “restore operator” privileges.
  • Store infrastructure definitions in source control for rapid environment rebuilds.
  • Test restores quarterly; record results to evidence DR capability.
  • For Microsoft 365 tenants, deploy independent backup where compliance or legal retention requires isolation.
🍺
Brewed Insight: Microsoft’s native protection is like keeping a backup jug of cold brew in the same fridge as the main batch — safe from small spills but not from a power cut.
Adding immutable, geo‑redundant Azure backups and independent M365 backups is like moving that jug across town to a powered cellar: slower to set up but rock‑solid when everything else melts down.

Learn More