UserErrorKeyVaultPermissions
Microsoft

UserErrorKeyVaultPermissionsNotConfigured in Azure Backup

0

If you’re working with encrypted Azure Virtual Machines and attempting to set up backup, you’ve likely encountered this frustrating error:

Error Code: UserErrorKeyVaultPermissionsNotConfigured
Error message: Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines.

This error occurs because Azure Backup needs specific permissions to access your Key Vault to handle encryption keys during backup and restore operations. In this post, we’ll walk through exactly how to resolve this issue, covering both traditional access policies and the newer RBAC approach.

Understanding the Problem

When you encrypt Azure VMs using Azure Disk Encryption, the encryption keys are stored in Azure Key Vault. For Azure Backup to successfully back up these encrypted VMs, it needs permission to:

  • Read encryption keys (KEK – Key Encryption Keys)
  • Access secrets (BEK – BitLocker Encryption Keys)
  • Perform backup operations on these cryptographic materials

Without proper permissions, the backup service cannot access the encryption keys, resulting in backup failures.

Two Permission Models in Azure Key Vault

Azure Key Vault supports two access control models:

  1. Access Policies (Traditional model)
  2. Azure RBAC (Role-Based Access Control – Newer model)

The solution depends on which model your Key Vault uses.

Identifying Your Key Vault’s Access Model

To check which model your Key Vault uses:

  1. Navigate to your Key Vault in the Azure portal
  2. Look at the “Access policies” section
  3. If you see “Access policies not available” with a message about RBAC, your vault uses Azure RBAC
  4. If you can see and manage access policies directly, your vault uses the traditional access policy model

Solution for Access Policy Model

If your Key Vault uses access policies, follow these steps:

Using Azure Portal

  1. Go to your Key Vault in the Azure portal
  2. Navigate to “Access policies”
  3. Click “Add Access Policy”
  4. Configure the policy with these permissions:
    • Key permissions: Get, List, Backup
    • Secret permissions: Get, List, Backup
    • Select principal: Search for “Backup Management Service”
  5. Save the access policy

Using PowerShell

# Set access policy for Azure Backup
Set-AzKeyVaultAccessPolicy -VaultName "YourKeyVaultName" -ServicePrincipalName "262044b1-e2ce-469f-a196-69ab7ada62d3" -PermissionsToKeys get,list,backup -PermissionsToSecrets get,list,backup

Using Azure CLI

az keyvault set-policy --name YourKeyVaultName --spn 262044b1-e2ce-469f-a196-69ab7ada62d3 --key-permissions get list backup --secret-permissions get list backup

Solution for Azure RBAC Model

If your Key Vault uses Azure RBAC (which is increasingly common), you need to assign specific roles to the Azure Backup service.

Step 1: Find the Backup Service Principal Object ID

First, you need to get the correct Object ID for the Backup Management Service in your tenant:

# Get the service principal Object ID
$backupServiceObjectId = (Get-AzADServicePrincipal -ApplicationId "262044b1-e2ce-469f-a196-69ab7ada62d3").Id
Write-Host "Backup Service Object ID: $backupServiceObjectId"

Step 2: Assign Required Roles

For backup and restore operations, assign these roles:

# Get Key Vault resource ID
$keyVaultId = (Get-AzKeyVault -VaultName "YourKeyVaultName").ResourceId

# Assign roles for backup and restore
New-AzRoleAssignment -ObjectId $backupServiceObjectId -RoleDefinitionName "Key Vault Crypto Officer" -Scope $keyVaultId
New-AzRoleAssignment -ObjectId $backupServiceObjectId -RoleDefinitionName "Key Vault Secrets Officer" -Scope $keyVaultId
New-AzRoleAssignment -ObjectId $backupServiceObjectId -RoleDefinitionName "Key Vault Reader" -Scope $keyVaultId

Using Azure CLI for RBAC

# Get Key Vault resource ID
KEYVAULT_ID=$(az keyvault show --name YourKeyVaultName --query id -o tsv)

# Get Backup service Object ID
BACKUP_OBJECT_ID=$(az ad sp show --id 262044b1-e2ce-469f-a196-69ab7ada62d3 --query id -o tsv)

# Assign roles
az role assignment create --assignee $BACKUP_OBJECT_ID --role "Key Vault Crypto Officer" --scope $KEYVAULT_ID
az role assignment create --assignee $BACKUP_OBJECT_ID --role "Key Vault Secrets Officer" --scope $KEYVAULT_ID
az role assignment create --assignee $BACKUP_OBJECT_ID --role "Key Vault Reader" --scope $KEYVAULT_ID

Understanding the Role Differences

For Backup-Only Operations

If you only need backup capabilities (no restore), these minimal roles suffice:

  • Key Vault Crypto Service Encryption User
  • Key Vault Secrets User
  • Key Vault Reader

For Backup and Restore Operations

For full backup and restore capabilities, use these roles:

  • Key Vault Crypto Officer: Provides read/write access to keys
  • Key Vault Secrets Officer: Provides read/write access to secrets
  • Key Vault Reader: Provides general read access

The “Officer” roles include all permissions from the “User” roles plus additional write/create permissions needed for restore operations.

Troubleshooting Common Issues

Service Principal Not Found Error

If you get a “BadRequest” error when assigning roles, the service principal might not exist in your tenant:

# Check if service principal exists
Get-AzADServicePrincipal -ApplicationId "262044b1-e2ce-469f-a196-69ab7ada62d3"

# Create it if missing
New-AzADServicePrincipal -ApplicationId "262044b1-e2ce-469f-a196-69ab7ada62d3"

Permission Propagation Delays

After assigning permissions, wait 5-10 minutes for changes to propagate before retrying the backup operation.

Cross-Region Restore Considerations

If you plan to restore VMs in different regions, ensure the backup service has permissions to Key Vaults in those regions as well.

Additional Considerations

Recovery Services Vault Managed Identity

Some backup scenarios also require granting permissions to your Recovery Services vault’s managed identity. You can find this in:

  1. Recovery Services vault → Identity → System assigned
  2. Copy the Object ID and assign the same Key Vault roles

Network Access Policies

Ensure your Key Vault’s network access policies don’t block the Azure Backup service. If you’re using private endpoints or firewall rules, you may need to allow trusted Microsoft services.

Verification

After applying the permissions, verify the setup by:

  1. Attempting to configure backup for your encrypted VM
  2. Running a test backup to ensure it completes successfully
  3. Checking the backup job status in the Recovery Services vault

Best Practices

  1. Use Azure RBAC for new Key Vault deployments as it provides more granular control
  2. Apply principle of least privilege – use backup-only roles if restore isn’t required
  3. Document your permissions for future reference and troubleshooting
  4. Test both backup and restore operations to ensure complete functionality
  5. Monitor backup jobs regularly to catch permission issues early

The “UserErrorKeyVaultPermissionsNotConfigured” error is a common but easily resolvable issue when backing up encrypted Azure VMs. By understanding whether your Key Vault uses access policies or Azure RBAC, and applying the appropriate permissions to the Azure Backup service, you can ensure smooth backup operations for your encrypted virtual machines.

Remember that the specific steps depend on your Key Vault’s access control model, so always check which model you’re using before applying the solution. With the right permissions in place, Azure Backup can seamlessly handle your encrypted VM backups and restores.

You might also like More from author

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More