Disk Encryption Sets broken after transfer of subscription

asked 2020-12-09T20:33:21.99+00:00
Heting Wang 96 Reputation points

Managed Identity of Disk Encryption Set get broken after transfer of my subscription. It says

Failed to grant permissions to the key vault 'imlibra-me'. Error: An invalid value was provided for 'accessPolicies'.

But when I created an another Disk Encryption Set, it’s ok. Does it mean I will lost all of my data?

Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Azure AD directories.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,591 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
107 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-12-10T06:28:59.963+00:00
    Heting Wang 96 Reputation points

    I solved it with this command, and it have absolutely no document at all:

    az disk-encryption-set update --name disk-encryption --resource-group resource --key-url $keyVaultKeyUrl --source-vault $keyVaultName --set identity.type=SystemAssigned

1 additional answer

Sort by: Most helpful
  1. answered 2020-12-09T21:06:34.317+00:00
    deherman-MSFT 23,591 Reputation points Microsoft Employee

    @Heting Wang Per the documentation this is recoverable. If you are using Disk Encryption Sets to encrypt Managed Disks with customer-managed keys, you must disable and re-enable the system-assigned identities associated with Disk Encryption Sets. And you must re-create the role assignments i.e. again grant required permissions to Disk Encryption Sets in the Key Vaults.

    Hope this helps! If you are still having issues after performing these steps please let me know.


    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.