Problem: Azure Backup with Disk Encryption and Key Vault Permissions (RBAC)

Question

I’m trying to back up a virtual machine with disk encryption (both OS and data disks) using Recovery Services Vault in Azure. The key used for disk encryption is stored in Azure Key Vault, and I'm using RBAC (Role-Based Access Control) for access management instead of Access Policies.

Steps Taken:

• I’ve enabled the Managed Identity for the Recovery Services Vault.
• I’ve assigned the Managed Identity the following roles on the Key Vault (Key Vault Crypto User, Key Vault Reader)

Despite this, I'm still encountering the following error when attempting to back up the VM:

"Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines."

What I’ve Tried:

• I’ve ensured the Key Vault is correctly configured with RBAC.
• I’ve verified that the Recovery Services Vault’s Managed Identity has the correct roles assigned.
• I have checked that both the OS and data disks of the virtual machine are encrypted using Azure Disk Encryption.

Question:

What additional permissions or steps are required to ensure that Azure Backup has sufficient access to the Key Vault for backing up encrypted virtual machines? Are there other specific roles or key permissions that need to be granted?

Answer 1

Hi @Maxime Callebaut , I understand that you've assigned RBAC roles to your Recovery Services Vault but your backup job still failed.

Managed Identity of Recovery Services Vault needs to have appropriate RBAC roles for Azure Key Vault used to encrypt the data at the backup process. You mentioned that you've done this step.

Additionally, as the VM is using ADE (Azure Disk Encryption), you need to assign Key Vault Administrator role to the Backup Management Service Microsoft Entra app. Please follow this guide: Back up ADE encrypted VMs with RBAC enabled key vaults.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.