Getting error "UserErrorKeyVaultPermissionsNotConfigured" while enabling backup on encrypted VM using Azure role-based access control access policy in Key vault

Sushmita Pandey 1 Reputation point
2021-12-08T14:06:27.267+00:00

I am getting error below error while enabling the backup on encrypted VM. I am using Azure role-based access control in Keyvault.

"error": {
"code": "UserErrorKeyVaultPermissionsNotConfigured",
"message": "Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines."
}

I have also enabled managed identity on recovery service vault and given custom role to it on keyvault, but still getting the same error. Can anyone help me with the RBAC roles which I can use to fix this issue?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-12-08T23:16:48.977+00:00

    @Sushmita Pandey
    Thank you for your post!

    Based off your error message Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines, and our Backup and restore encrypted Azure virtual machines documentation, it looks like you have to Provide Permissions to the Azure Backup Service by adding it to the Key Vault Access Policies.

    To set permissions:
    1.Within the Azure portal, select All services, and search for Key vaults.
    2.Select the key vault associated with the encrypted VM you're backing up.
    3.Select Access policies > Add Access Policy.
    156076-image.png

    4.Add access policy > Configure from template (optional), select Azure Backup.

    • The required permissions are prefilled for Key permissions and Secret permissions. Get, List, and Backup
    • If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets.
      156039-image.png

    5.Select Add. Backup Management Service is added to Access policies.

    If you're still running into issues, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.