Submit a request

Nerdio Help Center

Backup and Restore of NMM install

Applies to: Nerdio Manager for MSP (NMM)

This topic discusses how to backup and restore the NMM app and associated services.

NMM is an Azure application consisting of several PaaS services. When backing up NMM, the following components should be considered:

  • Azure Key Vault: This contains service principal secrets and AD domain joiner user account passwords. The contents of the Key Vault are fairly static and do not need to be backed up on a regular basis.

  • Azure SQL Database: This contains auto-scale configuration (for example, scheduling), logs, and auto-scale history data. The relevant contents of the database change when auto-scale settings are modified. A recurring backup is recommended.

  • Azure App Service: This runs the NMM application and does not contain actual data beyond the application binaries. The contents of the app service change when the application is upgraded to the latest version.

Nerdio Tip
    The recommended method for backing up NMM is to enable App Service backups and directly retrieve contents of the Key Vault used by NMM to a .zip file. SQL database backups are automatically included with the App service backups. Otherwise, you need to perform the procedures described below.




  • The app service plan must be a Standard or Premium one (for example, S3 or P2V2) because only standard and premium plans support the built-in Back Up and Restore functionality. By default, NMM is deployed using a Basic plan (B3), which does not support backups.

  • A non-guest account with at least Contributor role permissions on the Key Vault, which can be inherited from the subscription the Key Vault is tied to.

  • If the SQL Server has been hardened (limiting network access to known VNets & IPs only), all IP addresses associated with the app service cluster must be added as permitted IPs on the SQL Server firewall (associated IP addresses are displayed under the Networking tab of the app service). Otherwise, the backup services for the app service are unable to connect to the SQL server and save the backup successfully.

    • App service backups occur in the app service cluster, and do not use any configured private endpoints or VNet integration.

Local System:

  • PowerShell 6.2.4 or PowerShell 5.1 for Windows

    • The entire Azure PowerShell Module "Az", or individual modules "Az.Accounts", "Az.KeyVault", "Az.Resources", "Az.Storage", and "Az.Websites". See this MS Doc for details

  • .Net Framework 4.7.2 or better

App Service and SQL DB Backup

The following procedure backs up the App Service and SQL database.

To back up the App Service and SQL database:

  1. Download the nmm-app-service-backup.ps1 script.

  2. Obtain the following values:

    • Azure Subscription ID: Nerdio Manager > Settings >Environment > Subscription tile.

      Note: Both the app service and backup storage account should be located in the same Azure subscription.

    • App Service Resource Group Name: Nerdio Manager > Settings >Environment > Linked resource groups tile.

    • App Service Name: Azure portal > Resource groups > Look up the name.

    • Storage Account Resource Group: Azure portal > Resource groups > Look up the name.

      Note: This can be the same as the app service resource group.

    • Storage Account Name: A new storage account with this name is created.

  3. On your local computer, run the script nmm-app-service-backup.ps1 and supply the values as requested.

    Note: When prompted for a sign in, supply an account with permissions to the app service and storage account. A user with Contributor permissions on the subscription is recommended.

  4. After script execution, backups of the app service and SQL database are performed automatically daily with a retention of 10 days.

    Note: By default, the script sets a retention period of 10 days and occurs every day at the time you ran the script. This can be changed by navigating to the Backups blade under settings in the App Service portal and selecting Configure. Ensure the SQL connection string is present before selecting Save. If the value is missing, it can be retrieved from the Key Vault provisioned by Nerdio, under the name 'ConnectionStrings--DefaultConnection'.



    Key Vault Backup

    The Key Vault is backed up using a PowerShell script that retrieves the secrets and certificates stored in the Key Vault and saves the contents to a local zip file named in the same directory the script is run in. The contents of the zip file are encrypted and can only be decrypted in Azure.

    To back up the Key Vault:

    1. Download this script (key-vault-backup.ps1) to your local computer and unzip it.

    2. Obtain the following values:

      • Azure Subscription ID: Nerdio Manager > Settings >Environment > Subscription tile.

      • Key Vault Name: Azure portal > Look up the name.

    3. On your local computer, run the script key-vault-backup.ps1 and supply the values as requested.

      Note: When prompted for a sign in, supply an non-guest account with Access policies and permissions for the Key Vault. A user with Owner role is recommended.

    4. After script execution, the backup file is present in the directory.

      Note: Be sure to save the backup file ( to be used in a future restore, if needed.

    App Service Restore

    Restoring the App Service can be done using the portal option within the App Service, or using the files stored in the storage account under the blob container nmm-backup.

    See these articles for additional details:

    Key Vault Restore

    The following procedure restores the Key Vault from a backup.

    To restore the Key Vault from a backup:

    1. Download this script (key-vault-restore.ps1) to your local computer and unzip it.

    2. Move the key-vault-restore.ps1 script to the same directory as the file.

    3. Run the script key-vault-restore.ps1.

      Note: The script only restores secrets and certificates that do not exist. If they have been deleted, but not purged, you receive a conflict error from the script. When restoring to a key vault with existing values, those values are not be overwritten.

      Note: Old secrets can be restored manually from the portal by selecting the "Older Versions" of the secret. This is useful if a specific value has been changed and needs to be reverted, such as the password used by the AD account.

Was this article helpful?
0 out of 0 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • NFA will be fully supported until the official sunset -


Please sign in to leave a comment.