I am met with the following error details when investigating why an Azure encrypted VM backup failed, but the link provided with the error (https://learn.microsoft.com/en-in/azure/backup/backup-azure-vms-encryption) doesn't resolve my question: exactly which permissions should I grant? All it says is that "The required permissions are prefilled for Key permissions and Secret permissions." Well, that's not a lot of help! I had those permissions already set as default I thought, because I do have lots of backups/snapshots; obviously backups have been working in the past. If I am missing some permission now, is it a Key permission, or a Secret permission? It's not clear! I do see I have the following set up right now:
Key permissions:
Key Management Operations
Get (checked)
List (checked)
Update
Create
Import
Delete
Recover
Backup (checked)
Restore
Cryptographic Operations:
Decrypt
Encrypt
Unwrap Key
Wrap Key
Verify
Sign
Privileged Key Operations
Purge
Secret permissions:
Secret Management Operations
Get (checked)
List (checked)
Set
Delete
Recover
Backup
Restore
Privileged Secret Operations
Purge
Certificate permissions:
Certificate Management Operations
Get
List
Update
Create
Import
Delete
Recover
Backup
Restore
Manage Contacts
Manage Certificate Authorities
Get Certificate Authorities
List Certificate Authorities
Set Certificate Authorities
Delete Certificate Authorities
Privileged Certificate Operations
Purge
Below is the error I see for my backup:
Error Code
UserErrorKeyVaultPermissionsNotConfigured
Error Message
Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines.
Recommended Action
Please grant the required permissions to the Azure Backup Service. Refer https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption/
Related Links
https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption
It looks you missed the Backup permission of the Secret permissions.
In step 6 of the link,
I suppose you give the permissions manually instead of selecting Azure Backup of the Configure from template (optional), if you select it, the permissions will be chosen automatically, that is the The required permissions are prefilled for Key permissions and Secret permissions means.
Here are the steps I took to correct this via http://portal.azure.com (I realize step 6 might be overkill as the Restore permission might be unnecessary here--but hey, this worked):
Search for "Key vaults".
Click on my key vault.
Click "Access policies".
Click "Backup Management Service".
Click on the Key permissions dropdown and uncheck all checkboxes.
Click on the Secret permissions dropdown and choose the Get, List, Backup, and Restore checkboxes.
Click OK.
Click Save back on the "Access policies" screen.
The last step above is important as missing it will cause your changes NOT to be saved. I wrote these steps up and followed them as influenced by a statement I found at https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption that says, "If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets." It seems I have BEK--at least that's what my Secret Types are. And indeed, the above worked. The backups began to work again as of July 11th!
Related
I have identified nearly 1K Service identities, Shared Identities, Privileged Identities. I need to clear all these identities immediately, kindly say if there is a way to do this in bulk.
Terminate/remove users in Bulk
If you have identified the identities, then you can use the IIQ console to delete those, but take these steps carefully on higher environments; Refer to the IIQ admin guide -> IIQ console section for this command.
Also, take a backup of database before doing such activities.
<delete Identity "name"> is the IIQ console command. If you want to delete identities in bulk, then prepare a file for e.g., identityData.txt and that file must contain records in the below format:
delete Identity identity1
delete Identity identity2
delete Identity identity3
And then go to the IIQ console and execute this command
> source identityData.txt
Verify your identities from the console.
I have created an external user in Azure DevOps (one with #outlook.com email). I have set this user as "Basic" with no access to any of the organization projects and I have also set all permissions to deny. Yet when he signs in, he is able to view organizations settings even though he cannot edit them. What am I doing wrong. The user should not be seeing anything.
How can I make this work?
Does Azure Key Vault purge expired versions automatically so it does not get returned from get key versions?
Background:
We plan to use Azure Key Vault certificates with a 2 month rotation. So, we will set ValidityInMonths to 2 and RenewAtNumberOfDaysBeforeExpiry to 3 or so. The reason for the short rotation is that it will be used for asymetric signing.
We need to make the public keys available from an API, so we will call get key versions.
My concern is that the number of versions will keep growing every 2 months.
No, the process is not automatic. To permanently delete a secret First a user must delete the object, which puts it into the soft-deleted state. Second, a user must purge the object in the soft-deleted state. The purge operation requires additional access policy permissions.
Note: Soft delete is Enabled by by default.
You can find more information here Azure Key Vault soft-delete overview
I have purchased an SSL cert for my site and the cert has three steps you need to do in order to have it fully configured. The first step is "Key Vault Status" which I then click on and it shows the following error:
You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings.
This is very confusing because I am the owner of this subscription and I also went and created a new Key Vault just in case it was due to not having one created in the first place. In addition I checked the Access Control for this cert and I am also listed as Owner.
Any help is appreciated.
Ok, so I finally got to the bottom of it - I'll outline the story here as this was the solution but may not work for everyone.
When I first created my Azure account I did so under email address 1
A few years later I had migrated most of my email to email address 2. To get status updates and other things I transferred the subscription to email address 2.
Every other service has worked fine accept for this SSL issue as well as not being able to buy a support plan (it popped open an email app to send to email address 1)
In speaking with the AzureSupport twitter account they agreed that it was strange and arranged for a one time ticket for support.
The support agent asked me to check my Access Policies for the Key Vault I had created. This showed that email 1 is indeed a user in the Azure Active Direction and they mentioned that I'd need to have the admin add it. Since I had noticed the irregularities with email address 1 showing up in the URL and in the email for adding support I logged into Azure using email address 1 and went to Azure Active Directory->Users under that account.
I then selected the guest account, selected Directory Role, and added a new role of Application Administrator. Now all of it is working as expected!
My subscription was attached to employer Active Directory and I can't change my role in it.
I solve this problem by creating my own Active Directory and by moving subscription to this AD.
Recently I no longer been able to generate application keys in WAAD...(or to be more specific I can generate the key but I never get to see the value)
and after save I receive unauthorized access error...
I am a directory co-administrator - The key does appear to save, as after a page refresh there is an extra entry into the keys table. Currently only the directory full administrator can see the value but now no-longer co-admins.
The above issues also happens when making modifications to "permissions to other applications", azure reports unauthorized but the changes I make are again committed.
I have ruled out different browsers, have tired IE, and Chrome.
Help much appreciated.
co administrator is a subscription role not an Azure AD role.
In order to perform this you should have admin privileges in the Azure AD on which you're trying to create the keys.
What is the Azure AD role you're currently in ?
The issue was...
"Users may give applications permission to access their data" was set to "No"
Changing this back to "Yes" then allowed me to generate and see the key values.