Azure Backup is the Azure-based service you can use to back up (or protect) and restores your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive.
In this article, we will share with you how to solve the invalid policy configuration on the VM which is preventing Azure Backup (Snapshot) creation.
Table of Contents
Introduction
Azure Backup gives you the flexibility to pick and choose the data you want to protect, for as long as you want to protect it. Azure Backup is designed to be cost-effective whether you’re interested in short or long-term retention. And, you can restore virtual machines or individual files and folders—in Azure or on-premises—as needed, for free.
I was recently migrating Windows and Linux virtual machines from on-premises to Azure, and during the scope of the project, we need to protect those VMs after the migration is completed using the Azure Backup service.
The Issue
When we enabled Azure Backup for the Azure VM, we noticed that the backup job is failing with the following error message:
Error message: The backup pre-check status for this item is Critical. An invalid policy is configured on the VM which is preventing Snapshot operation.
Error code: UserErrorRequestDisallowedByPolicy.

Troubleshooting
After you register and schedule a VM for the Backup service, Azure Backup initiates the job by communicating with the VM agent to take a point-in-time snapshot.
Many conditions might prevent the snapshot from being triggered and created. And when a snapshot isn’t triggered, the backup pre-check job will fail.
According to Microsoft’s recommendations troubleshooting guide, they documented this error as follows:
UserErrorRequestDisallowedByPolicy – An invalid policy is configured on the VM which is preventing Snapshot operation.
If you have an Azure Policy that governs tags within your environment, either consider changing the policy from a Deny effect to a Modify effect or create the resource group manually according to the naming schema required by Azure Backup.
Finding the Cause
After I started eliminating the potential root causes following the troubleshooting guide, I noticed that one of them is related directly to my issue.
By default, the Azure Backup service creates a separate resource group to store the instant recovery points of managed virtual machines. The default naming format of the resource group created by Azure Backup service is AzureBackupRG_{Geo}_{n}. And it’s optional to customize the resource group name as per your requirement.

Ok, but what is the relation between the optional resource group name for instant restore, and the issue of creating the snapshot?

Well, it turns out that we have activated the built-in Azure Policy with Deny effect, which requires having a Tag defined on resource groups.

And since the instant restore feature in Azure Backup creates a default resource group to store the instant restore points, thus the policy was denying the creation of the default resource group name AzureBackupRG_{Geo}_{n}.
Fixing the Issue
There are two or three possibilities for fixing this issue:
1) You can consider changing the policy from a Deny effect to a Modify effect. The Modify effect is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating or adding tags on resource groups/resources such as Cost Center, Service Name, Owner, Description, etc.
2) The second approach is creating the resource group manually according to the naming schema required by Azure Backup as described by Microsoft here.
3) As a best practice, I would add to the second point the following: Create a dedicated Azure Backup policy for virtual machines that share the same lifecycle and then use the existing resource groups for your VMs based on your internally defined naming convention. By creating a dedicated backup policy per workload or application, you ensure having the flexibility to manage the backup schedule, as well as the data retention range for each workload individually.
And why use the existing resource groups for instant restore points of your virtual machines?

Because a resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, you add resources that share the same lifecycle to the same resource group (in this case a VM or multi-tier application), so you can easily deploy, update, delete them as a group, and assign the appropriate role-based access control (RBAC) permissions at the resource group level.
And since instant restore requires a resource group to store the instant restore points, then you ensure the instant restore points are stored within the same resource group of the virtual machine(s) which have already been Tagged, and Azure Policy won’t block or deny the creation of the instant restore points.
Enable Azure Backup
Once you have updated your Azure Backup policies to include the appropriate resource group name for the instant restore feature, then Azure Backup Pre-Check passed and successfully created the restore point snapshot.

In this case, you don’t need to modify or change the Azure Policy effect.
The instant recovery point restore will take around 1 minute to complete despite the disk size of your virtual machine. The instant restore backup capability is super fast.
Summary
In this article, we showed you how to resolve the issue of the invalid backup policy configuration on the Azure VM which is preventing Azure Backup snapshot operation.
> Learn more about how to enable Azure Backup on VMs using Azure Policy.
> Learn more about protecting an Azure Trusted Launch VM with Azure Backup.
> Learn more about updating Azure Backup Policy at Scale using PowerShell.
> Learn more about creating Azure Backup Protection Policy with PowerShell.
Do you want to learn more about Azure Backup and how to create a hybrid-cloud backup solution using SCDPM and Azure Backup Server? Make sure to check my recently published book: Microsoft System Center Data Protection Manager Cookbook.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-