You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms.md
+16-9Lines changed: 16 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Configure replication for Azure Disk Encryption-enabled VMs in Azure Site Recovery | Microsoft Docs
3
3
description: This article describes how to configure replication for Azure Disk Encryption-enabled VMs from one Azure region to another by using Site Recovery.
4
4
services: site-recovery
5
-
author: sujayt
5
+
author: asgang
6
6
manager: rochakm
7
7
ms.service: site-recovery
8
8
ms.topic: article
@@ -18,7 +18,7 @@ This article describes how to replicate Azure Disk Encryption-enabled VMs from o
18
18
>[!NOTE]
19
19
>Azure Site Recovery currently supports only Azure VMs that run a Windows OS and that are [enabled for encryption with Azure Active Directory (Azure AD)](https://aka.ms/ade-aad-app).
20
20
21
-
## Required user permissions
21
+
## <aid="required-user-permissions"></a> Required user permissions
22
22
Site Recovery requires the user to have permissions to create the key vault in the target region and copy keys to the region.
23
23
24
24
To enable replication of Disk Encryption-enabled VMs from the Azure portal, the user needs the following permissions:
@@ -135,18 +135,25 @@ You can use [a script](#copy-disk-encryption-keys-to-the-dr-region-by-using-the-
135
135
136
136
## <aid="trusted-root-certificates-error-code-151066"></a>Troubleshoot key vault permission issues during Azure-to-Azure VM replication
137
137
138
-
**Cause 1:** You might have selected from the target region an already-created key vault that doesn't have the required permissions instead of letting Site Recovery create one. Make sure that the key vault has the require permissions, as described earlier.
138
+
Azure Site Recovery requires at least read permission on the Source region Key vault and write permission on the target region key vault to read the secret and copy it to the target region key vault.
139
139
140
-
*For example*: You try to replicate a VM that has key vault *ContososourceKeyvault* on a source region.
141
-
You have all the permissions on the source region key vault. But during protection, you select the already-created key vault ContosotargetKeyvault, which doesn't have permissions. An error occurs.
140
+
**Cause 1:** You don't have "GET" permission on the **source region Key vault** to read the keys. </br>
141
+
**How to fix:** Regardless of whether you are a subscription admin or not, it is important that you have get permission on the key vault.
142
+
143
+
1. Go to source region Key vault which in this example is "ContososourceKeyvault" > **Access policies**
144
+
2. Under **Select Principal** add your user name for example: "[email protected]"
145
+
3. Under **Key permissions** select GET
146
+
4. Under **Secret Permission** select GET
147
+
5. Save the access policy
142
148
143
-
**How to fix:**Go to **Home** > **Keyvaults** > **ContososourceKeyvault** > **Access policies**and add the appropriate permissions.
149
+
**Cause 2:**You don't have required permission on the **Target region Key vault**to write the keys. </br>
144
150
145
-
**Cause 2:** You might have selected from the target region an already-created key vault that doesn't have decrypt-encrypt permissions instead of letting Site Recovery create one. Make sure that you have decrypt-encrypt permissions if you're also encrypting the key on the source region.</br>
151
+
*For example*: You try to replicate a VM that has key vault *ContososourceKeyvault* on a source region.
152
+
You have all the permissions on the source region key vault. But during protection, you select the already-created key vault ContosotargetKeyvault, which doesn't have permissions. An error occurs.
146
153
147
-
*For example*: You try to replicate a VM that has a key vault *ContososourceKeyvault*on the source region. You have all the necessary permission on the source region key vault. But during protection, you select the already-created key vault ContosotargetKeyvault, which doesn't have permissions to decrypt and encrypt. An error occurs.</br>
154
+
Permission required on [target Key vault](#required-user-permissions)
148
155
149
-
**How to fix:** Go to **Home** > **Keyvaults** > **ContososourceKeyvault** > **Access policies**. Add permissions under **Key permissions** > **Cryptographic Operations**.
156
+
**How to fix:** Go to **Home** > **Keyvaults** > **ContosotargetKeyvault** > **Access policies** and add the appropriate permissions.
0 commit comments