Hi, likely cause: the Backup Vault’s managed identity can’t get a token (disabled/missing/using the wrong identity) or it lacks the required RBAC on your disks/snapshot RG, so any “fix protection” step fails with ManagedIdentityGetAadTokenFailed. Do this, in order: 1) Vault identity: go to Backup vault → Identity and ensure System-assigned is On (or that your User-assigned MI is still attached). If you just toggled it, wait a minute. 2) Re-grant roles (this is the #1 blocker for Disk Backup): the vault MI must have Disk Backup Reader on each protected disk, Disk Snapshot Contributor on the snapshot resource group, and for restores Disk Restore Operator on the target RG (+ Reader on the Disk Encryption Set if the disk uses CMK). Easiest path: Backup center → +Backup (Disks) → Datasources → Add/Edit → Add missing roles and re-validate. 3) Same tenant/region checks: Disk Backup requires the vault and disks in the same region; cross-subscription is fine but they must be in the same Entra tenant. 4) Identity health: in Entra ID → Enterprise applications, find the SP named like your vault (type = Managed Identity), make sure Account enabled = Yes; if you recently deleted/replaced a user-assigned MI, attach the new one and re-assign roles. 5) Policy/deny: ensure no Deny assignments on the snapshot RG/subscription that would block role assignment; the “Add missing roles” action will surface this as “insufficient permission,” but if you’re assigning manually, check with az role assignment list --assignee <principalId> --all --include-inherited. 6) Conditional Access: CA for workload identities generally doesn’t apply to managed identities, so this error is almost never a CA block; focus on identity state and RBAC. 7) Quick CLI to verify: az resource show -g <rg> -n <vaultName> --resource-type Microsoft.DataProtection/backupVaults --query identity (confirm principalId); then add RBAC: az role assignment create --assignee <principalId> --role "Disk Backup Reader" --scope <diskId> and az role assignment create --assignee <principalId> --role "Disk Snapshot Contributor" --scope /subscriptions/<sub>/resourceGroups/<snapshotRG>. Re-validate and retry the job. If it still fails, capture the Job ID/Correlation ID from the failed backup job and open an Azure Support ticket,include that ID plus the vault name and region for backend traces.
ManagedIdentityGetAadTokenFailed: Fetching AAD Token has failed.
Manjunatha P
0
Reputation points
We have Backup Vault and enabled Disk Back up, Backup is failing with Protection error and when trying to fix the protection error it throws error "ManagedIdentityGetAadTokenFailed: Fetching AAD Token has failed."
Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.