Disk Encryption Sets broken after transfer of subscription

Heting Wang 96 Reputation points
2020-12-09T20:33:21.99+00:00

Managed Identity of Disk Encryption Set get broken after transfer of my subscription. It says

Failed to grant permissions to the key vault 'imlibra-me'. Error: An invalid value was provided for 'accessPolicies'.

But when I created an another Disk Encryption Set, it’s ok. Does it mean I will lost all of my data?

Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Azure AD directories.

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
157 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,092 questions
0 comments No comments
{count} votes

Accepted answer
  1. Heting Wang 96 Reputation points
    2020-12-10T06:28:59.963+00:00

    I solved it with this command, and it have absolutely no document at all:

    az disk-encryption-set update --name disk-encryption --resource-group resource --key-url $keyVaultKeyUrl --source-vault $keyVaultName --set identity.type=SystemAssigned


1 additional answer

Sort by: Most helpful
  1. deherman-MSFT 32,951 Reputation points Microsoft Employee
    2020-12-09T21:06:34.317+00:00

    @Heting Wang Per the documentation this is recoverable. If you are using Disk Encryption Sets to encrypt Managed Disks with customer-managed keys, you must disable and re-enable the system-assigned identities associated with Disk Encryption Sets. And you must re-create the role assignments i.e. again grant required permissions to Disk Encryption Sets in the Key Vaults.

    Hope this helps! If you are still having issues after performing these steps please let me know.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.