Share via

Azure VM backup fail, error message "Error UserErrorKeyVaultPermissionsNotConfigured"

Raymond Tong 0 Reputation points
2025-06-05T09:16:55.5733333+00:00

My Azure VM weekly backup fail. after troubleshoot, It is due to Key Vault permission issue.

My access configuration is by Vault Access Policy. and I already assign myself Owner role, Key Vault Admin, Key Vault Contributor, & Key Vault Data Access Adminstrator. But still don't have access to Key Vault, the create, and edit function is disabled.

Kindly advice what role I shall assign?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,442 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 19,310 Reputation points Microsoft External Staff Moderator
    2025-06-05T11:11:39.7633333+00:00

    Hi Raymond Tong

    Based on the error message "UserErrorKeyVaultPermissionsNotConfigured", it appears that you do not have sufficient permissions on the Key Vault required to back up encrypted virtual machines.

    Since your access configuration is set using Key Vault access policies, you must explicitly grant permissions to Azure Backup to access the Key Vault.

    Please follow the steps below to set the required permissions:

    1.Sign in to the Azure portal.

    2.Search for "Key vaults" and select your Key Vault.

    3.Go to Access policies and click Add Access Policy.

    4.In the Add access policy pane, select Azure Backup from the template options.

    • The necessary Key and Secret permissions will be pre-filled automatically.
    • If your VM is encrypted using BEK only (BitLocker Encryption Key), you can remove the Key permissions and keep only the Secret permissions.

    Azure Backup selection

    5.Click Add. This will add the Backup Management Service to the access policies.

    6.Click Save to apply the changes and grant Azure Backup the necessary access.

    Once these permissions are in place, please try performing the backup operation for your Azure VM again.

    Hope this helps. Do let us know if you any further queries.

    0 comments
  2. Akpesiri Ogbebor 2,055 Reputation points
    2025-06-05T12:01:13.5333333+00:00

    Hello @Raymond Tong

    Thanks for contacting MS Q&A. I will be able to help you with resolving your issues.

    Even if you are Owner on the subscription/resource group – that does not translate to access inside of Key Vault in Vault Access Policy mode. If you would prefer to fall back to Azure RBAC, you can change the permission model of the vault to Azure role-based access control under “Access configuration”, and then your RBAC roles will just start working.

    1. Navigate to Access Policies for the Key Vault, under Key Vault. 
      • In the Azure Portal, open the Key Vault which is causing issues.

• Click on “Access Policies” (left pane).

• Click “+ Add Access Policy”
    2. Set proper permissions: 
      • Select a  template based on the needs of your VM backup. For most Azure Backup operations to succeed, access to wrap/unwrap keys or read secrets is required, depending on what it is protecting. If your backup uses encryption (with a customer-managed  key or CMK), you must provide the necessary key permissions (like unwrapKey, wrapKey, get, etc.). For secret-based access, assign secret permissions like get and list.
    3. Assign yourself or the backup service  principal: • Under Principal,  choose:

      o Your user account if you're testing access manually.

      o Or the Azure Backup service (e.g., Azure Backup, Microsoft Recovery Services, etc.) if the VM 

              backup process requires it.
    1. Save and Confirm 
      • Press Add, and then Save to apply the new access policy.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Siri

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.