Error saving passphrase to Azure key vault for DPM 2025

Michael 71

When attempting to add the passphrase to an Azure Key Vault, the error "Managed Identity is not configured for the Recovery Services Vault" is issued. I followed the instructions listed here for RBAC https://learn.microsoft.com/en-us/azure/backup/save-backup-passphrase-securely-in-azure-key-vault?tabs=azure-portal. The Status in the System assigned page of the Identity of the RSV is set to On. If I view the "Azure role assignments" on the page, the Key Vault is listed with the role of "Key Vault Secrets Officer".

What could cause this error as I've seemed to follow all the steps those in the troubleshooting section? Thanks.

Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-16T17:52:17.94+00:00

Hi Michael
Thanks for posting your query and using Microsoft Q&A Forum,

We are checking with our internal team to get more information related to your query and will get back to you as soon as once we have an update.
Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-16T19:31:01.0566667+00:00

Hi Michael

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Even though you indicated that the status is set to "On," it may be helpful to turn it off and then back on again to refresh the configuration.

Verify that the Managed Identity has been granted the required permissions on the Key Vault. While the "Key Vault Secrets Officer" role should provide access to secrets, make sure there are no additional restrictions in place.

If you have recently updated the role assignments, please wait a few minutes before attempting to add the passphrase again.

Make sure the Managed Identity has the right permissions in the Key Vault's access policies to get and list secrets. If you're using RBAC, check that there are no conflicting access policies that could block access.

If the resources are in different subscriptions or resource groups, make sure that the permissions for cross-subscription or cross-resource group access are properly configured.

Review the logs for any additional error messages or warnings that could help identify the issue.

Try using Azure CLI commands to check if you can access the Key Vault with the Managed Identity.

az keyvault secret show --name <YourSecretName> --vault-name <YourKeyVaultName> --identity
https://learn.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest

For reference, please review this documentation:-
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?WT.mc_id=Portal-Microsoft_Azure_KeyVault

If you have any further queries, do let us know.

If the answer is helpful, please and "Upvote it".
Michael 71 Reputation points

2025-01-16T22:56:01.8933333+00:00

They are in different resource groups so how do I grant access?
Michael 71 Reputation points

2025-01-16T23:04:08.6633333+00:00

They are in separate resource groups.
Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-17T03:16:13.6+00:00

Hi Michael
The location of your Key Vault and Recovery Services Vault doesn't matter; the managed identity will function seamlessly across the subscription
Michael 71 Reputation points

2025-01-17T15:52:27.4533333+00:00

Thanks for the information. I believe since you have content on the "Access Policies" page of the key vault, you are not using RBAC as I am as my page says "Access policies not available" on that page with RBAC. Also, my Backup Configuration on the recovery services vault is set to zonally redundant and it cannot be changed as I already have quite a bit of content present.

What has to be done with those configurations?
Michael 71 Reputation points

2025-01-20T20:06:43.5833333+00:00

I have no idea why (I suspect possibly delays in Azure?), but I moved the DPM installation to a Windows Server 2025 host (from 2022) using the same database as in the past. After that, the Azure key vault is working as expected and I can store the key. I have made no other changes in Azure.
Michael Hlavinka 0 Reputation points

2025-01-20T22:54:18.57+00:00

I believe I already posted this answer, but this site does not seem to post the updates, so sorry if this is a duplicate. The problem no longer exists although I have made no changes in Azure. I have redeployed the DPM configuration to a new Windows Server 2025 instead of the Server 2022 host I used in the past. Also, a couple of days have passed in case it takes time for Azure to show these changes.
Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-21T01:58:03.5933333+00:00
Hi Michael

Thank you so much for letting me know, Issue Resolved Without Changes:

I suspect below two possible issues

The issue was temporary and might have been resolved on Azure's backend.

There might be a delay in Azure reflecting changes or updates in your configuration.

I request to take a moment and kindly accept the answer if it is helpful.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks,

Pranay.

1 answer

Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-17T10:12:53.3666667+00:00
Hi Michael
I have successfully replicated the issue. It appears that the problem may be related to the managed identity scope and the permissions you've configured. The attached screenshot outlines the step-by-step procedure I implemented in my test environment, where the issue was reproducible but was functioning correctly

Please double-check the configuration and follow the steps below to resolve the issue
Navigate to your Recovery Services vault in the Azure portal.

In the left-hand menu, select Identity under the Settings section.

Turn on the System assigned managed identity and click Save.

Note down the Object ID of the managed identity

https://learn.microsoft.com/en-us/azure/backup/save-backup-passphrase-securely-in-azure-key-vault?tabs=azure-portal#enable-permissions-using-role-based-access-permission-model-for-key-vault

https://learn.microsoft.com/en-us/azure/backup/install-mars-agent#install-and-register-the-agent

Note: The RG of Recovery service vault and the RG of key vault is in different not the name in the lab I tested
If you have any further queries, do let us know.

If the answer is helpful, please and "Upvote it".
Please sign in to rate this answer.

1 person found this answer helpful.
Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-17T15:31:16.4533333+00:00

Hi Michael
I have convert the comment into an answer. If you could kindly accept answer for the benefit of the community, it would be greatly appreciated and helpful to others.

Michael 71 Reputation points

2025-01-17T15:56:15.7666667+00:00

It's not answered as it does not work for RBAC configuration on the key vault.

Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-17T18:28:59.1733333+00:00

Hi Michael
Since your Key Vault is indicating "Access policies not available," this confirms that you are using Azure RBAC instead of the legacy access policy model.

Navigate to the Azure Portal.

Go to your Key Vault.

Select Access Control (IAM) to review the role assignments.

Assign the appropriate https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations Utilize built-in roles such as Key Vault Administrator, Key Vault Contributor,

Concerning your Recovery Services Vault's backup configuration, which is currently set to zonally redundant storage (ZRS), you may be unable to change this setting due to the presence of existing backup data
ZRS is intended to provide high availability across multiple zones within a region. However, if you have existing backup data, modifying the redundancy options usually necessitates deleting those backups
If you wish to change the redundancy type, you should consider creating a new Recovery Services Vault with your desired redundancy setting and migrating your backups. This process includes the following steps:

Create a new vault with your preferred redundancy option, such as locally redundant storage or geo-redundant storage.

Set up backup jobs in the new vault.

If necessary, delete the old backups from the original vault
https://learn.microsoft.com/en-us/azure/backup/install-mars-agent#modify-storage-replication

I hope you understand

Could you please take a moment to retake the survey on the above response? Your feedback is greatly appreciated.

Michael 71 Reputation points

2025-01-17T21:25:57.2366667+00:00

In your screenshot you are showing it to be selected as "Vault access policy" instead of RBCA. I have added the Key Vault Secrets Officer to the Recovery Service Vault in the Key Vault's "Access control (IAM)". I have not changed any settings on these built-in objects.

I chose ZRS as this is a long-term solution for my on-premise DPM server. I didn't want to pay the extra for global when I didn't think it would be required.

I may open a support ticket on this if I cannot get it to work.

Pranay Reddy Madireddy 1,575 Reputation points Microsoft Vendor

2025-01-17T21:59:04.5833333+00:00

Hi Michael
If you continue to experience issues after checking your configurations and roles, consider reaching out to Azure support for assistance specific to your setup. azure support

Could you please take a moment to retake the survey on the above response? Your feedback is greatly appreciated.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Error saving passphrase to Azure key vault for DPM 2025

1 answer

Your answer