VaultGuard360 includes a built-in configuration export and import tool. Use it to back up your settings before a plan change, restore configuration after redeploying, or migrate settings when moving to a new managed application instance.
What's Included in an Export
The export captures your operational configuration as a JSON document.
| Category | What's exported |
|---|---|
| Alert thresholds | Warning, severe, and critical day values |
| General settings | Default notification email, per-threshold enable/disable flags |
| Email configuration | Provider (ACS or SMTP), SMTP host, port, from address, from name, TLS setting |
| Webhook channels | Channel types (Generic, Slack, PagerDuty, ServiceNow) and enabled/disabled state |
| Reminder mode | Per-threshold reminder frequency (every scan, daily, weekly, once) |
| Team routing rules | Subscription-to-team mappings, team names, notification email addresses |
What's Excluded
The following fields are intentionally excluded to prevent credential leakage. You will need to re-enter them manually after importing.
| Excluded field | Reason | Action after import |
|---|---|---|
| Webhook URLs | Contain authentication tokens | Re-enter in Notifications → Webhooks |
| Webhook secrets | API keys / shared secrets | Re-enter in Notifications → Webhooks |
| Teams webhook URL | Contains authentication token | Re-enter in Notifications → Teams Webhook |
| Per-route webhook URLs | Contain authentication tokens | Re-enter in Team Routing for each route |
| Custom email domain | Tied to specific ACS resource instance | Re-configure in Custom Domain and re-verify DNS |
| Scan history & audit logs | Large dataset, bound to storage account | Not transferable between deployments |
| SMTP credentials | Passwords / app passwords | Re-enter in Email Configuration |
Note: The export file is safe to store in version control or share with your team — it contains no secrets, credentials, or webhook tokens. Review the file before sharing if your team names or subscription names are sensitive.
How to Export
From the Dashboard
- Open the VaultGuard360 dashboard
- Navigate to Settings
- Click Export Configuration
- Save the downloaded
.jsonfile in a secure location
From the API
curl -s https://<function-app>.azurewebsites.net/api/export \
-H "Cookie: <your-easyauth-session-cookie>" \
-o vaultguard360-config-backup.json
Note: The export endpoint works even after a trial has expired. This ensures you can always back up your configuration before upgrading to a paid plan.
How to Import
From the Dashboard
- Open the VaultGuard360 dashboard on the target deployment
- Navigate to Settings
- Click Import Configuration
- Select the
.jsonfile you exported previously - Review the import summary showing what was restored
From the API
curl -s https://<function-app>.azurewebsites.net/api/import \
-X POST \
-H "Cookie: <your-easyauth-session-cookie>" \
-H "Content-Type: application/json" \
-d @vaultguard360-config-backup.json
The API returns a summary of what was imported:
{
"success": true,
"imported": {
"thresholds": true,
"settings": true,
"emailConfig": true,
"webhookConfig": true,
"reminderMode": true,
"routes": 5
},
"message": "Configuration imported successfully"
}
Warning: Import uses upsert logic — it updates existing settings and adds new ones. Routing rules for the same subscription ID will be overwritten. If you want to preserve existing routes for other subscriptions, they are not affected.
After Importing: Checklist
After a successful import, complete these steps to fully restore your setup:
-
Re-enter webhook URLs and secrets
- Navigate to Notifications → Webhooks
- Re-enter the URL and secret/key for each enabled channel (Generic, Slack, PagerDuty, ServiceNow)
-
Re-enter Teams webhook URL (if used)
- Navigate to Notifications → Teams Webhook
- Paste your Teams Workflow webhook URL
-
Re-enter per-route webhook URLs (if used)
- Navigate to Team Routing
- Edit each route that had a team-specific webhook URL
-
Re-configure custom email domain (if used)
- Navigate to Custom Domain
- Enter your domain name and add the new DNS records
- The new deployment has a new ACS resource, so DNS verification records will be different from the previous deployment
-
Re-enter SMTP credentials (if using SMTP instead of ACS)
- Navigate to Email Configuration
- Re-enter your SMTP username and password or app password
-
Run a test scan
- Click Run Scan Now on the Dashboard
- Verify subscriptions and Key Vaults appear in the results
-
Test notifications
- Use Test Connection in Email Setup
- Use Test for each webhook channel
- Confirm messages arrive at the expected destinations
Export File Format
The export is standard JSON and can be edited before importing. For example, you can update email addresses across all routes before importing into a new environment.
{
"version": 1,
"exportedAt": "2026-03-14T23:00:00.000000+00:00",
"thresholds": {
"warningDays": 30,
"severeDays": 14,
"criticalDays": 5
},
"settings": {
"notificationEmail": "security-team@contoso.com",
"days30Enabled": true,
"days14Enabled": true,
"days7Enabled": true
},
"emailConfig": {
"provider": "acs",
"enabled": true,
"smtpHost": "",
"smtpPort": 25,
"smtpFromAddress": "",
"smtpFromName": "VaultGuard360",
"smtpUseTls": false
},
"webhookConfig": {
"channels": [
{ "channelType": "generic", "enabled": false },
{ "channelType": "slack", "enabled": true },
{ "channelType": "pagerduty", "enabled": false },
{ "channelType": "servicenow", "enabled": false }
]
},
"reminderMode": {
"warning": "daily",
"severe": "every_scan",
"critical": "every_scan"
},
"routes": [
{
"subscriptionId": "b6c588f1-cc18-4496-b3db-dbe0adb736cf",
"subscriptionName": "Production",
"teamName": "Infrastructure Team",
"notificationEmail": "infra@contoso.com",
"webhookUrl": ""
}
]
}
The version field ensures forward compatibility. Future versions of VaultGuard360 will import files from older versions correctly.
Use for Migration
The export/import tool is the recommended migration path for:
- Trial to Professional or Enterprise — export before the trial expires, import into the new paid deployment
- Plan changes (Professional to Enterprise) — same workflow, new managed application instance
- Redeployment — if you need to redeploy the managed application for any reason
- Disaster recovery — maintain a regular export backup alongside your other Azure configuration backups
See Upgrading Plans for the complete upgrade workflow.