MicrosoftDocs
diff --git a/‎articles/backup/backup-azure-vms-encryption.md
Lines changed: 37 additions & 1 deletion b/‎articles/backup/backup-azure-vms-encryption.md
Lines changed: 37 additions & 1 deletion
diff --git a/‎articles/backup/media/backup-azure-vms-encryption/enable-key-vault-encryption-expanded.png
45.3 KB b/‎articles/backup/media/backup-azure-vms-encryption/enable-key-vault-encryption-expanded.png
45.3 KB
diff --git a/‎articles/backup/media/backup-azure-vms-encryption/enable-key-vault-encryption-inline.png
45.3 KB b/‎articles/backup/media/backup-azure-vms-encryption/enable-key-vault-encryption-inline.png
45.3 KB
diff --git a/‎articles/backup/media/backup-azure-vms-encryption/key-vault-add-permissions.png
125 KB b/‎articles/backup/media/backup-azure-vms-encryption/key-vault-add-permissions.png
125 KB
@@ -2,7 +2,7 @@
 title: Back up and restore encrypted Azure VMs
 description: Describes how to back up and restore encrypted Azure VMs with the Azure Backup service.
 ms.topic: conceptual
-ms.date: 05/05/2022
+ms.date: 12/14/2022
 ms.service: backup
 author: v-amallick
 ms.author: v-amallick
@@ -99,6 +99,42 @@ In addition, there are a couple of things that you might need to do in some circ
 
 1. Select **Enable Backup** to deploy the backup policy in the vault, and enable backup for the selected VMs.
 
+### Back up ADE encrypted VMs with RBAC enabled key vaults
+
+To enable backups for ADE encrypted VMs using Azure RBAC enabled key vaults, you need to assign Key Vault Administrator role to the Backup Management Service Azure AD app by adding a role assignment in Access Control of key vault.
+
+:::image type="content" source="./media/backup-azure-vms-encryption/enable-key-vault-encryption-inline.png" alt-text="Screenshot shows the checkbox to enable ADE encrypted key vault." lightbox="./media/backup-azure-vms-encryption/enable-key-vault-encryption-expanded.png":::
+
+Learn about the [different available roles](/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations). The **Key Vault Administrator** role can allow permissions to *get*, *list*, and *back up* both secret and key.
+
+For Azure RBAC enabled key vaults, you can create custom role with the following set of permissions. Learn [how to create custom role](/azure/active-directory/roles/custom-create).
+
+| Action | Description |
+| --- | --- |
+| Microsoft.KeyVault/vaults/keys/backup/action | Creates the backup file of a key.  |
+| Microsoft.KeyVault/vaults/secrets/backup/action | Creates the backup file of a secret.  |
+| Microsoft.KeyVault/vaults/secrets/getSecret/action | Gets the value of a secret.  |
+| Microsoft.KeyVault/vaults/keys/read | List keys in the specified vault or read properties and public materials.  |
+
+```json
+"permissions": [
+            {
+                "actions": [],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.KeyVault/vaults/keys/backup/action",
+                    "Microsoft.KeyVault/vaults/secrets/backup/action",
+                    "Microsoft.KeyVault/vaults/secrets/getSecret/action",
+                    "Microsoft.KeyVault/vaults/keys/read",
+                    "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
+                ],
+                "notDataActions": []
+            }
+        ]
+```
+
+:::image type="content"  source="./media/backup-azure-vms-encryption/key-vault-add-permissions.png" alt-text="Screenshot shows how to add permissions to key vault.":::
+
 ## Trigger a backup job
 
 The initial backup will run in accordance with the schedule, but you can run it immediately as follows: