![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 13%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Azure Backup
An Azure backup service that provides built-in management at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, likely cause: the Backup Vault’s managed identity can’t get a token (disabled/missing/using the wrong identity) or it lacks the required RBAC on your disks/snapshot RG, so any “fix protection” step fails with ManagedIdentityGetAadTokenFailed. Do this, in order: 1) Vault identity: go to Backup vault → Identity and ensure System-assigned is On (or that your User-assigned MI is still attached). If you just toggled it, wait a minute. 2) Re-grant roles (this is the #1 blocker for Disk Backup): the vault MI must have Disk Backup Reader on each protected disk, Disk Snapshot Contributor on the snapshot resource group, and for restores Disk Restore Operator on the target RG (+ Reader on the Disk Encryption Set if the disk uses CMK). Easiest path: Backup center → +Backup (Disks) → Datasources → Add/Edit → Add missing roles and re-validate. 3) Same tenant/region checks: Disk Backup requires the vault and disks in the same region; cross-subscription is fine but they must be in the same Entra tenant. 4) Identity health: in Entra ID → Enterprise applications, find the SP named like your vault (type = Managed Identity), make sure Account enabled = Yes; if you recently deleted/replaced a user-assigned MI, attach the new one and re-assign roles. 5) Policy/deny: ensure no Deny assignments on the snapshot RG/subscription that would block role assignment; the “Add missing roles” action will surface this as “insufficient permission,” but if you’re assigning manually, check with az role assignment list --assignee <principalId> --all --include-inherited. 6) Conditional Access: CA for workload identities generally doesn’t apply to managed identities, so this error is almost never a CA block; focus on identity state and RBAC. 7) Quick CLI to verify: az resource show -g <rg> -n <vaultName> --resource-type Microsoft.DataProtection/backupVaults --query identity (confirm principalId); then add RBAC: az role assignment create --assignee <principalId> --role "Disk Backup Reader" --scope <diskId> and az role assignment create --assignee <principalId> --role "Disk Snapshot Contributor" --scope /subscriptions/<sub>/resourceGroups/<snapshotRG>. Re-validate and retry the job. If it still fails, capture the Job ID/Correlation ID from the failed backup job and open an Azure Support ticket,include that ID plus the vault name and region for backend traces.