Azure File Share Backup fails - authentication failure

Senthilnath TM 241 Reputation points
2024-08-02T11:56:07.56+00:00

Due to security policy "Allow Storage account key access" is "disabled" on our Azure Storage accounts.

The File shares on this storage account is backed-up by Azure Recovery Vaults.

Backups fail as Azure Recovery Vaults do not use the AD authentication.

How can we take backups with "Storage access keys" disabled?

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,320 questions
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,329 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 47,836 Reputation points Microsoft Employee
    2024-08-09T22:07:14.45+00:00

    @Senthilnath TM Greetings!

    Sorry for the delayed response. To continue using Azure Recovery Vaults for backup without storage access keys, you can consider using Azure Managed Identities, which provide Azure services with an automatically managed identity in Azure Active Directory (Azure AD). Managed Identities can be used to authenticate to services that support Azure AD authentication, including Azure Recovery Vaults.

    Here's a general approach to achieve this:

    Enable Managed Identities: For the Azure resources you want to back up, enable a system-assigned managed identity or use a user-assigned managed identity.

    Grant Permissions: Assign the necessary role-based access control (RBAC) permissions to the managed identity for the Recovery Services vault. This typically includes permissions to perform backup and restore operations.

    Configure Backup Policy: Adjust your backup policy to use the managed identity for authentication instead of storage access keys.

    Monitor Backups: Ensure that your backups are running successfully with the new configuration by monitoring the backup jobs in the Recovery Services vault.

    For detailed steps and guidance, you can refer to the Azure documentation on encrypting backup data in a Backup vault by using customer-managed keys and managing access to Azure resources using RBAC and Azure AD.

    If you encounter any issues or need further assistance, Azure support can provide more specific guidance based on your environment and requirements. Remember to test any changes in a non-production environment before applying them to your live resources to ensure that your backups continue to function as expected. If you have any more questions or need further assistance, feel free to ask.

    For your reference: https://learn.microsoft.com/en-us/azure/backup/backup-create-recovery-services-vault#set-encryption-settings

    Hope this helps. Please write back to us if you have any further questions.


    If the response helped, do "Accept Answer" and up-vote it


  2. Garcia, Fredy 1 Reputation point
    2024-12-19T10:11:11.21+00:00

    i just tested with a recovery vault that has a managed identity and a storage account with access keys disabled, private endpoint, public access disabled... azure files backup worked fine. so the key might just be making sure the recovery vault has a managed identity. doesnt look like any special permission/role is required


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.