You dont have javascript enabled! Please enable it! Solution – Azure Backup An Invalid Policy Is Configured On The VM - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Solution – Azure Backup An Invalid Policy is Configured on The VM

4 Min. Read

Azure Backup is the Azure-based service you can use to back up (or protect) and restores your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.

In this article, we will share with you how to solve the invalid policy configuration on the VM which is preventing Azure Backup (Snapshot) creation.

Introduction

Azure Backup gives you the flexibility to pick and choose the data you want to protect, for as long as you want to protect it. Azure Backup is designed to be cost-effective whether you’re interested in short or long-term retention. And, you can restore virtual machines or individual files and folders—in Azure or on-premises—as needed, for free.

I was recently migrating Windows and Linux virtual machines from on-premises to Azure, and during the scope of the project, we need to protect those VMs after the migration is completed using the Azure Backup service.

The Issue

When we enabled Azure Backup for the Azure VM, we noticed that the backup job is failing with the following error message:

Error message: The backup pre-check status for this item is Critical. An invalid policy is configured on the VM which is preventing Snapshot operation.

Error code: UserErrorRequestDisallowedByPolicy.

Azure Backup UserErrorRequestDisallowedByPolicy
Azure Backup UserErrorRequestDisallowedByPolicy

Troubleshooting

After you register and schedule a VM for the Backup service, Azure Backup initiates the job by communicating with the VM agent to take a point-in-time snapshot.

Many conditions might prevent the snapshot from being triggered and created. And when a snapshot isn’t triggered, the backup pre-check job will fail.

According to Microsoft’s recommendations troubleshooting guide, they documented this error as follows:

UserErrorRequestDisallowedByPolicy – An invalid policy is configured on the VM which is preventing Snapshot operation.

If you have an Azure Policy that governs tags within your environment, either consider changing the policy from a Deny effect to a Modify effect or create the resource group manually according to the naming schema required by Azure Backup.

Finding the Cause

After I started eliminating the potential root causes following the troubleshooting guide, I noticed that one of them is related directly to my issue.

By default, the Azure Backup service creates a separate resource group to store the instant recovery points of managed virtual machines. The default naming format of the resource group created by Azure Backup service is AzureBackupRG_{Geo}_{n}. And it’s optional to customize the resource group name as per your requirement.

Azure Backup default RG for Instance Restore
Azure Backup default RG for Instance Restore

Ok, but what is the relation between the optional resource group name for instant restore, and the issue of creating the snapshot?

Azure Backup Resource Group for Virtual Machines
Azure Backup Resource Group for Virtual Machines

Well, it turns out that we have activated the built-in Azure Policy with Deny effect, which requires having a Tag defined on resource groups.

Enforces the existence of a tag on resource groups
Enforces the existence of a tag on resource groups

And since the instant restore feature in Azure Backup creates a default resource group to store the instant restore points, thus the policy was denying the creation of the default resource group name AzureBackupRG_{Geo}_{n}.

Fixing the Issue

There are two or three possibilities for fixing this issue:

1) You can consider changing the policy from a Deny effect to a Modify effect. The Modify effect is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating or adding tags on resource groups/resources such as Cost Center, Service Name, Owner, Description, etc.

2) The second approach is creating the resource group manually according to the naming schema required by Azure Backup as described by Microsoft here.

3) As a best practice, I would add to the second point the following: Create a dedicated Azure Backup policy for virtual machines that share the same lifecycle and then use the existing resource groups for your VMs based on your internally defined naming convention. By creating a dedicated backup policy per workload or application, you ensure having the flexibility to manage the backup schedule, as well as the data retention range for each workload individually.

And why use the existing resource groups for instant restore points of your virtual machines?

Configuring Azure Backup Instant Restore Resource Group Name
Configuring Azure Backup Instant Restore Resource Group Name

Because a resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, you add resources that share the same lifecycle to the same resource group (in this case a VM or multi-tier application), so you can easily deploy, update, delete them as a group, and assign the appropriate role-based access control (RBAC) permissions at the resource group level.

And since instant restore requires a resource group to store the instant restore points, then you ensure the instant restore points are stored within the same resource group of the virtual machine(s) which have already been Tagged, and Azure Policy won’t block or deny the creation of the instant restore points.

Enable Azure Backup

Once you have updated your Azure Backup policies to include the appropriate resource group name for the instant restore feature, then Azure Backup Pre-Check passed and successfully created the restore point snapshot.

Azure Backup Pre-Check and Backup Status
Azure Backup Pre-Check and Backup Status

In this case, you don’t need to modify or change the Azure Policy effect.

The instant recovery point restore will take around 1 minute to complete despite the disk size of your virtual machine. The instant restore backup capability is super fast.

Summary

In this article, we showed you how to resolve the issue of the invalid backup policy configuration on the Azure VM which is preventing Azure Backup snapshot operation.

> Learn more about how to enable Azure Backup on VMs using Azure Policy.

> Learn more about protecting an Azure Trusted Launch VM with Azure Backup.

> Learn more about updating Azure Backup Policy at Scale using PowerShell.

> Learn more about creating Azure Backup Protection Policy with PowerShell.

Do you want to learn more about Azure Backup and how to create a hybrid-cloud backup solution using SCDPM and Azure Backup Server? Make sure to check my recently published book: Microsoft System Center Data Protection Manager Cookbook.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Trend | How To Become An IT Architect: A Complete Guide

Why IT Mapping is Critical for Managing Your Cloud

Next

Let us know what you think, or ask a question...