Share via

VM DR Cache Storage with Entra ID

Kristaps Karniitis 0 Reputation points
2025-03-10T07:11:28.9933333+00:00

Problem Statement: We previously had a Windows Server VM with Disaster Recovery (DR) configured, where the Cache Storage Account utilized Shared Access Keys for authentication. Following a recommendation from MDFC, we transitioned the storage account to use Entra ID-based authentication instead. However, after disabling Shared Access Keys, the DR process encountered errors, as the VM was no longer able to establish a connection with the Cache Storage Account.

Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
824 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 6,046 Reputation points Microsoft Employee Volunteer Moderator
    2025-03-10T23:41:27.6233333+00:00

    Hi @Kristaps Karniitis , I understand you have an Azure VM (Windows Server) with DR configured. DR is using ASR (Azure Site Recovery) and it requires a Cache Storage Account. You have a requirement to disable Storage Account Keys, but if you disable it, DR process has errors.

    Cache storage requirements state that managed identity is not supported. The cached storage account must allow shared key access and Shared Access Signatures (SAS) signed by the shared key. Recent changes in Azure Policy disable key authentication due to security concerns. However, for ASR, you need to enable it again.

    You need to configure an exception in MDFC (Microsoft Defender for Cloud) that all cache storage accounts for ASR need to allow access to storage account keys. That's a requirement for ASR to work.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.