Azure SQL Server key vault access lost for one database which is using server level encryption

Toni August 20 Zuverlässigkeitspunkte
2026-06-23T13:03:49.0766667+00:00

We use an Azure SQL Server with a couple databases in an elastic pool. A week ago one of the databases went into "Inaccessible" status.

On the TDE settings page for the database I get this message:

Access to Azure Key Vault has been lost for the server of this database. Follow the troubleshooting steps below to resolve this issue. Existing data will be inaccessible until this issue is resolved.

On the TDE settings page for the SQL Server I get this message:

Access to Azure Key Vault has been lost for this server. Follow the troubleshooting steps below to resolve this issue. Existing data will be inaccessible until this issue is resolved.

The SQL Server is using a Service-managed key for encryption and this was always set like this. The database which is having the issue temporarily used a Database level customer-managed key (CMK) but this was set back to Server-level encryption key 2 weeks ago and the database was working fine until 1 week ago where it was set to inaccesible probably through an automated process because it happened outside of our working hours and there is no username attached to the log entry.

Is there any way to resolve this? There is not much I can do in the Azure portal itself. The SQL Server is set to service-managed key and the database to server level encryption so there should be no key vault involved which is managed by us.

Thank you!

Azure SQL-Datenbank

Antwort, die vom Frageautor angenommen wurde

Manoj Kumar Boyini 18,435 Zuverlässigkeitspunkte Externe Microsoft-Mitarbeiter Moderator
2026-06-26T14:04:09.2266667+00:00

Hi @Toni August

Our analysis indicates that the database was previously configured with a database-level customer-managed key (CMK). Although the database was later switched back to server-level encryption after the Azure Key Vault recovery, a residual reference to the previously configured encryption key was not fully removed.

As part of Azure SQL Database's periodic Transparent Data Encryption (TDE) validation process, the service attempted to validate access to the historical key reference. Because the managed identity previously associated with the CMK configuration was no longer available, the validation could not be completed, causing the database to transition to the Inaccessible state.

To resolve the issue, please:

  1. Reassign the user-assigned managed identity that was previously used for the CMK configuration to the logical SQL server.
  2. Verify that the Azure Key Vault key previously used for TDE is present, enabled, and accessible.
  3. Ensure the managed identity has the required Azure Key Vault permissions: Get, Wrap Key, and Unwrap Key.
  4. Retry the key validation operation from the Transparent Data Encryption (TDE) settings page.

Once key validation succeeds, the database should transition back to an accessible state.

War diese Antwort hilfreich?

Eine Person fand diese Antwort hilfreich.
0 Kommentare Keine Kommentare

1 zusätzliche Antwort

Sortieren nach: Am hilfreichsten
  1. Manoj Kumar Boyini 18,435 Zuverlässigkeitspunkte Externe Microsoft-Mitarbeiter Moderator
    2026-06-23T14:31:03.68+00:00

    Hi @Toni August

    I kindly request you to please share the details requested in the private message for further investigation.

    Based on the symptoms and the error message shown on the TDE blade, Azure SQL is still detecting a dependency on Azure Key Vault for the database encryption protector. Even though the database was switched back to server-level encryption two weeks ago, the database becoming inaccessible with a Key Vault access error suggests that the database may still be referencing a customer-managed key (CMK) or encountered an issue during key validation.

    To help narrow down the cause, could you please confirm:

    • Whether the Azure Key Vault and key that were previously used for the database-level CMK still exist and are accessible.
    • Whether any changes were made recently to the Key Vault, key permissions, managed identities, networking, private endpoints, firewall rules, or DNS configuration.
    • Whether the key used previously has been disabled, deleted, or expired.

    Common causes for this type of issue include:

    Lost permissions to Azure Key Vault (Get, Wrap Key, Unwrap Key).
    Deleted or unavailable Key Vault/key.
    Expired or disabled encryption key.
    Network, DNS, or Private Endpoint connectivity issues preventing Azure SQL from reaching Azure Key Vault.

    If you can provide the requested details, we can further investigate the current encryption protector state and determine whether the database is still associated with a customer-managed key or if additional backend investigation is required.

    War diese Antwort hilfreich?

    0 Kommentare Keine Kommentare

Ihre Antwort

Antworten können von Fragestellenden als „Angenommen“ und von Moderierenden als „Empfohlen“ gekennzeichnet werden, wodurch Benutzende wissen, dass diese Antwort das Problem des Fragestellenden gelöst hat.