Fix Azure backups?

Question

Fix Azure backups?

Nick Bhagat 0

Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines.

Nick Bhagat 0 Reputation points

2025-08-21T15:10:04.9666667+00:00

Hey I am trying to understand why the backup runs for 5 hours , then fails what things can I check. I have checked logs in the Azure Monitor end on the VM as well as VSS logs but the backups are still failing. Please advise

1 answer

Your answer

Nick Bhagat 0 Reputation points

2025-08-21T15:10:04.9666667+00:00

Hey I am trying to understand why the backup runs for 5 hours , then fails what things can I check. I have checked logs in the Azure Monitor end on the VM as well as VSS logs but the backups are still failing. Please advise

Answer 1

Jose Benjamin Solis Nolasco 5,406

Welcome to Microsoft Q&A

I hope you are doing well,

Please to archive what you are looking for read this official documentation from Microsoft https://learn.microsoft.com/en-us/azure/backup/backup-azure-encrypted-vm-troubleshoot

Azure Backup uses the managed identity of the Recovery Services Vault to talk to Key Vault. That identity needs both Key and Secret permissions.

In the Azure Portal:

Go to the Key Vault → Access policies.
Add Access Policy:
- Configure from template: Azure Backup
- This pre‑selects:
- Key permissions: Get, List, Unwrap Key, Wrap Key, Encrypt, Decrypt, Backup, Restore
- Secret permissions: Get, List, Backup, Restore
Select principal: search for your Recovery Services Vault name and pick its managed identity.
Save the policy.

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

Nick Bhagat 0 Reputation points

2025-08-18T14:56:06.49+00:00

I have this all set accordingly...the backups will run for 30+ minutes then randomly fail:
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-18T15:02:20.2333333+00:00
Check this quickly just in case:

Ensure the Managed Identity of the Recovery Services Vault has:

Key permissions: Get, List, Unwrap Key, Wrap Key, Encrypt, Decrypt, Backup, Restore

Secret permissions: Get, List, Backup, Restore

If you’ve just set this, wait at least 15–30 mins or force a re‑auth.

Verify VM agent health

In the VM blade → Extensions + Applications, confirm the Azure Backup extension is installed and running.

Update the Azure VM Agent to the latest version.

Check disk encryption settings

If using Azure Disk Encryption, confirm the key vault is in the same region and that the vault identity has decryption rights.

Test manually creating a snapshot of the OS/data disk in the portal — if that fails, it’s a storage or permission issue.

Validate network connectivity

Ensure outbound access to *.backup.windowsazure.com, *.blob.core.windows.net, and Azure AD endpoints is allowed.

For NSG/firewall, add required service tags: AzureBackup, AzureStorage, AzureActiveDirectory.
Nick Bhagat 0 Reputation points

2025-08-18T17:24:29.8+00:00

First step is there, second there isn't an Azure Backup extension:

Share via

Fix Azure backups?

1 answer

Your answer