Error while enabling SQL DB backup on Azure VM

Question

Error while enabling SQL DB backup on Azure VM

TwickyBrain 0

I'm trying to enable SQL DB backup on Azure VM running Windows Server 2019 Datacenter and getting error.

Error code: Resource Operation Failure

Message: The resource operation completed with terminal provisioning state 'failed'

Troubleshooting steps:

VM rebooted with no luck
Check VM agent running latest version
Re-tried operations and being greeted with the same error.

FYI: This is a production server. Please assist with further guidance to fix this issue.

Thanks!

Bharath Y P 8,850 Reputation points Microsoft External Staff Moderator

2026-05-19T18:43:22.7366667+00:00
Hello TwickyBrain, it looks like you’re hitting a generic “Resource Operation Failure” when you try to turn on SQL backup for your Windows 2019 VM. That usually boils down to one of three culprits: network connectivity to the Backup service, the SQL IaaS Agent extension, or the SQL/VM state and permissions. Here’s a quick game plan:

Verify network connectivity:

Ensure the VM has outbound connectivity (TCP 443 and required ports) to Azure services such as:

AzureBackup

AzureActiveDirectory

Storage

Also confirm access to Azure platform endpoints (for example: 168.63.129.16)

Validate that no NSGs, firewalls, or proxies are blocking this traffic

If restrictive security policies are in place, ensure TLS 1.2 is enabled

Check VM Agent and Backup Extensions (Critical):

Ensure the Windows Azure Guest Agent service is running

In the Azure Portal > VM > Extensions:

Verify VMSnapshot (Microsoft.Azure.RecoveryServices.VMSnapshot) is not in a failed state

If failed, remove and retry the backup operation (it will reinstall automatically)

Check the SQL IaaS Agent Extension:

Verify the VM is registered under SQL Virtual Machines in Azure

Check the SQL IaaS Agent Extension status:

If unhealthy > try Repair

If repair fails > uninstall and reinstall

After reinstall, reconfigure the backup settings

Confirm VM & SQL instance readiness

VM state: Running

SQL Server service: Running and responsive

Ensure required permissions:

SQL login must have SYSADMIN or CONTROL SERVER role

Run built-in diagnostics:

Go to:

Recovery Services Vault > Backup Items > SQL in Azure VM

Select your VM > Run troubleshooting / diagnostics

Review insights related to:

Connectivity

Permissions

Extension/plugin failures

If you still facing issue, could you please help us with the below details:

Which Azure backup extension or agent are you using and what version is installed?

Can you share the full error details from the Azure Activity Log or the JSON output returned by the failed operation?

What is the SQL Server version, and is the database in full or simple recovery mode?

Hope this helps. If the information was useful, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.
Bharath Y P 8,850 Reputation points Microsoft External Staff Moderator

2026-05-20T19:30:08.0433333+00:00

Just checking if the information shared was helpful. If so, please consider accepting the answer and giving it an upvote.

If you have any further questions or need additional clarification, feel free to reach out. Thanks!

2 answers

Your answer

Bharath Y P 8,850 Reputation points Microsoft External Staff Moderator

2026-05-20T19:30:08.0433333+00:00

Just checking if the information shared was helpful. If so, please consider accepting the answer and giving it an upvote.

If you have any further questions or need additional clarification, feel free to reach out. Thanks!

Answer 1

kagiyama yutaka 3,080

i think the fail comes from the SQL IaaS extension not registering right, and u can reinstall it under VM → Extensions and confirm Full mode, and check outbound https 443 for Azure Backup.

0 comments

Answer 2

AI answer

The error indicates that the Azure Backup workload extension or connectivity required for SQL backup on the VM is failing. Since reboot and VM agent checks did not help, the next steps are to validate extension health, connectivity, and re‑register the SQL workload extension.

Follow these steps in order:

Confirm the VM is running and reachable

Ensure the VM is in the Running state in the Azure portal.
Verify that SQL Server is up and running on the VM.

Check for common extension and connectivity errors

In the Recovery Services vault, open the backup item for this SQL VM and check the latest failed job details for a specific error code such as:
- WorkloadExtensionNotReachable
- UserErrorVMInternetConnectivityIssue
- UserErrorWindowsWLExtFailedToStartPluginService
If you see:
- WorkloadExtensionNotReachable: The VM is shut down or cannot contact Azure Backup.
  - Ensure the VM is running and has internet connectivity.
  - Then re‑register the extension on the SQL Server VM as described below.
- UserErrorVMInternetConnectivityIssue: Outbound connectivity or TLS cipher issues.
  - If using NSGs, allow outbound access using service tags AzureBackup, AzureActiveDirectory, and Storage as described in the NSG tags section of the SQL backup documentation.
  - Ensure DNS resolves Azure endpoints.
  - Verify the VM is not behind a load balancer or firewall/proxy that blocks outbound calls to Azure Backup, Azure Storage, or Microsoft Entra ID.
  - If a GPO restricts TLS cipher suites, remove the VM from that GPO or modify it to allow the required cipher suites.
- UserErrorWindowsWLExtFailedToStartPluginService: Workload plugin service cannot start due to permissions.
  - Ensure NT Service\AzureWLBackupPluginSvc has Read permissions on:
    - C:\Windows\Microsoft.NET\assembly\GAC_32
    - C:\Windows\Microsoft.NET\assembly\GAC_64
    - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
  - In Local Security Policy → Local Policies → User Rights Assignment → Bypass traverse checking:
    - Ensure Everyone is present by default, and if missing, add NT Service\AzureWLBackupPluginSvc.
  - Restart the AzureWLBackupPluginSvc service (or retry the backup/enable‑protection operation).

Re‑register the SQL workload extension on the VM If backup/restore/configure operations are failing and the backup status shows Not reachable, or you see errors like WorkloadExtensionNotReachable / UserErrorWorkloadExtensionNotInstalled / WorkloadExtensionNotPresent / WorkloadExtensionDidntDequeueMsg, re‑register the extension:

Typical causes include:
- Extension deleted/uninstalled from the portal or Control Panel.
- VM restored from an older point in time.
- VM shut down for an extended period so extension configuration expired.
- VM deleted and recreated with the same name.
- Availability Group node not fully registered.
Use the documented re‑register extension on the SQL Server VM procedure (PowerShell or portal) and then retry Discover DBs in VMs and Configure Backup.

Verify SQL backup registration and vault association

Ensure the VM is registered for SQL backup in the same Recovery Services vault where backups are being configured.
If the VM was previously registered in a different vault, it must be unregistered from that vault first. This requires:
- Stopping protection for all protected data sources.
- Deleting backed‑up data (destructive operation; review carefully before doing this in production).
After unregistering from the old vault, register the VM with the correct vault and retry discovery/configure backup.

Retry the enable‑backup operation

After fixing connectivity, extension, and registration issues, retry Configure Backup for the SQL databases from the Recovery Services vault.

If the job still fails with a generic “Resource Operation Failure” but a more specific error code is present in job details, use that code with the error tables in the SQL backup troubleshooting article to apply the corresponding recommended action.

References:

Troubleshoot SQL Server database backup by using Azure Backup

AI-generated content may be incorrect. Read our transparency notes for more information.

Share via

Error while enabling SQL DB backup on Azure VM

2 answers

Your answer