![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 9%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Azure Backup
An Azure backup service that provides built-in management at scale.
1,453 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
Why it happens:
- Enhanced backup uses a different internal mechanism than "classic" backup.
- Backup Vaults use managed identity for operations.
- Your subscription or vault probably does not have the right RBAC permissions set for the Backup vault's Managed Identity.
- Even though the wizard looks fine, the vault's identity is missing Contributor/Backup Contributor role at the resource group or subscription level.
- This mismatch causes
PermissionDeniedwhen the backup tries to protect the VM.
How to fix:
Step 1: Find the Backup Vault's Managed Identity
Go to Azure Portal.
Open your Backup Vault.
Go to Identity under the vault's settings (left menu).
Check if the System-Assigned Managed Identity is ON.
If OFF, turn it ON and Save.
Step 2: Assign the right role to the Backup Vault’s Identity
You need to give permission to the vault's identity.
Go to Subscriptions or Resource Group where your VM and Backup Vault are.
Go to Access Control (IAM).
Click Add Role Assignment.
Assign the role Backup Contributor.
In "Assign access to", choose Managed identity.
Select the Backup Vault's system-assigned identity.
Role to assign: Backup Contributor
Scope: Ideally at Resource Group (where VM and vault exist) or Subscription (if you prefer).
Important: If you only assign permissions to the vault resource itself and not to the RG or Subscription, it will still fail. You must assign on the VM resource group or Subscription.
Step 3: Retry the Protection Setup
- Go back to the VM -> Overview -> Backup -> Try the wizard again.
Use the existing Backup Vault.
Use Enhanced configuration and the policy you created.
Now it should proceed beyond the 2.5-minute failure you are seeing.
Quick Tip:
If you want to make sure everything is ready before trying the wizard again, you can manually run this CLI command to test access. If you get a permissions error here, it confirms identity issue.
az backup vault backup-properties show --vault-name <your vault name> --resource-group <resource group>
Why Microsoft does not mention it clearly?
Because Enhanced Backup is still relatively newer for some VM OS types (including Server 2022), and they assume people understand managed identity permission management which is frankly unreasonable without clear docs.
Note:
If you want even tighter security:
Assign only Backup Contributor at Resource Group scope.
Avoid assigning at Subscription level unless you have multiple VMs across RGs needing backup.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)