The tiering process of Azure BackupVault fails with the error UserErrorMissingVaultMSIPermissionsOnBackupStorageLocation.

Question

The tiering process of Azure BackupVault fails with the error UserErrorMissingVaultMSIPermissionsOnBackupStorageLocation.

IOTBNTBP1-7424 20

We have configured Azure Backup for a private AKS cluster.

While the backup itself succeeds, the subsequent tiering process performed by the backup container fails.

The error code is UserErrorMissingVaultMSIPermissionsOnBackupStorageLocation. This error code is not documented.

We have assigned the Storage Blob Data Contributor role on the backup destination storage account to both the backup extension's and the backup container's managed identities.

According to the documentation, the only required permission for the backup container is read access to the storage account, but for troubleshooting purposes, we have granted the above role.

However, the storage account allows private access only. This might be the root cause.

Please advise how to resolve the tiering error by the backup container when using a private-access-only storage account.

Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator

2025-07-31T01:24:17.8166667+00:00

Hello IOTBNTBP1,

Just want to check if the above comment provided by @vinod pittala worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
IOTBNTBP1-7424 20 Reputation points

2025-07-31T06:15:16.9466667+00:00

Thank you for the helpful information.

After following your instructions and configuring trusted access, the error code has changed. The new error code is: UserErrorMissingVaultMSIPermissionsOnSnashotRG.

I followed the steps in the following documentation: https://learn.microsoft.com/ja-jp/azure/backup/azure-kubernetes-service-cluster-backup-using-cli The az dataprotection backup-instance validate-for-backup command also completes successfully. However, it seems that some required permissions are still missing.

If there is any documentation that includes all the necessary commands to grant the required permissions for the backup container when configuring backup via CLI, please let me know.
Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator

2025-07-31T06:29:01.1966667+00:00
Hello @IOTBNTBP1-7424

You're encountering the error UserErrorMissingVaultMSIPermissionsOnSnapshotRG, which typically arises during Azure Backup operations when the Backup Vault's managed identity lacks sufficient permissions on the Snapshot Resource Group (RG).

Please assign below roles on snapshot resource group

az role assignment create \ --assignee "mangedidentity" --role "Rolename" \ --scope "/subscriptions/XXXXX/resourceGroups/XXXXX"

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Naveena Patlolla 4,805 Reputation points Microsoft External Staff Moderator

2025-07-31T23:05:04.9966667+00:00

Hello @IOTBNTBP1
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
IOTBNTBP1-7424 20 Reputation points

2025-08-05T10:00:31.2866667+00:00

The issue was resolved by setting up trusted access and granting all permissions on the following page.

https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup-concept#required-roles-and-permissions

Thank you for providing this information.

We had planned to disable public access to the storage account, but since that would prevent us from setting up trusted access, we changed it to “enabled from selected virtual networks and IP addresses.
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator

2025-08-05T10:07:12.3833333+00:00

Hello IOTBNTBP1-7424,

I'm glad that the issue has been resolved after setting the trusted/ private access to the storage account and provided the required roles as I suggested earlier.

I have converted my comment into Answer. If you indeed feel the provided solution has helpful to resolve the issue, please do not forget to Accept the answer and Upvote it. this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks

Accepted answer

0 additional answers

Your answer

Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator

2025-07-31T01:24:17.8166667+00:00

Hello IOTBNTBP1,

Just want to check if the above comment provided by @vinod pittala worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
IOTBNTBP1-7424 20 Reputation points

2025-07-31T06:15:16.9466667+00:00

Thank you for the helpful information.

After following your instructions and configuring trusted access, the error code has changed. The new error code is: UserErrorMissingVaultMSIPermissionsOnSnashotRG.

I followed the steps in the following documentation: https://learn.microsoft.com/ja-jp/azure/backup/azure-kubernetes-service-cluster-backup-using-cli The az dataprotection backup-instance validate-for-backup command also completes successfully. However, it seems that some required permissions are still missing.

If there is any documentation that includes all the necessary commands to grant the required permissions for the backup container when configuring backup via CLI, please let me know.
Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator

2025-07-31T06:29:01.1966667+00:00

Hello @IOTBNTBP1-7424

You're encountering the error UserErrorMissingVaultMSIPermissionsOnSnapshotRG, which typically arises during Azure Backup operations when the Backup Vault's managed identity lacks sufficient permissions on the Snapshot Resource Group (RG).

Please assign below roles on snapshot resource group

az role assignment create \ --assignee "mangedidentity" --role "Rolename" \ --scope "/subscriptions/XXXXX/resourceGroups/XXXXX"

Please let me know if you face any challenge here, I can help you to resolve this issue further

If the comment was helpful, please click "Upvote"
Naveena Patlolla 4,805 Reputation points Microsoft External Staff Moderator

2025-07-31T23:05:04.9966667+00:00

Hello @IOTBNTBP1
Just want to check if the above Comment worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it"

Thankyou
IOTBNTBP1-7424 20 Reputation points

2025-08-05T10:00:31.2866667+00:00

The issue was resolved by setting up trusted access and granting all permissions on the following page.

https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup-concept#required-roles-and-permissions

Thank you for providing this information.

We had planned to disable public access to the storage account, but since that would prevent us from setting up trusted access, we changed it to “enabled from selected virtual networks and IP addresses.
Vinod Pittala 6,130 Reputation points Microsoft External Staff Moderator

2025-08-05T10:07:12.3833333+00:00

Hello IOTBNTBP1-7424,

I'm glad that the issue has been resolved after setting the trusted/ private access to the storage account and provided the required roles as I suggested earlier.

I have converted my comment into Answer. If you indeed feel the provided solution has helpful to resolve the issue, please do not forget to Accept the answer and Upvote it. this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks

Answer 1

Hello IOTBNTBP1,

Firstly, as part of the backup and restore operations, the following roles are assigned to the AKS cluster, Backup Extension Identity, and Backup vault.

So, add the Storage Blob Data Contributor role at Extension Identity, and the Storage Blob Data Reader role at Backup vault. User's image Refer the required roles and permissions : https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup-concept#required-roles-and-permissions

Then, yes since the storage account allows Private access, the backup vault needs to be added as trusted access in Storage Account Network Settings.

Hence, please add it and save the settings as follows,

User's image Post these changes, monitor the backups and check if he still encounters the error or not.

If the comment helpful, please click Upvote it.

Thanks

Share via

The tiering process of Azure BackupVault fails with the error UserErrorMissingVaultMSIPermissionsOnBackupStorageLocation.

0 additional answers

Your answer