Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Using Azure Backup with ADE protected VMs in Azure Germany

Yesterday I have written a blog post about the availability of ASR and Azure Backup in Azure Germany.

-> https://www.danielstechblog.io/azure-backup-azure-site-recovery-available-azure-germany/

Today I would like to share some information with you about using Azure Backup with Azure Disk Encryption protected VMs. If you start right away deploying a Recovery Services vault and protecting your VMs, then you will run into an error.


    "status": "Failed",
    "error": {
        "code": "ResourceDeploymentFailure",
        "message": "The resource operation completed with terminal provisioning state 'Failed'.",
        "details": [
                "code": "UserErrorKeyVaultPermissionsNotConfigured",
                "message": "Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines."

The error message is clear, you have to assign the required permissions to the Backup Management Service to be able to access keys and secrets in your deployed Azure  Key Vault. Otherwise Azure Backup is not able to backup your ADE protected VMs.


In Azure Germany you cannot modify the Azure Key Vault access policies through the portal currently, you have to do it via PowerShell.


Login-AzureRmAccount -EnvironmentName AzureGermanCloud

Get-AzureRmSubscription|Out-GridView -PassThru|Select-AzureRmSubscription

Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName $ServicePrincipalName –Verbose

After you have assigned the permissions to the Backup Management Service, start again to protect your VMs and you will see that this time the deployment succeeds.


Afterwards initialize the initial backup and come back later to check, if it was successful.




WordPress Cookie Notice by Real Cookie Banner