Problem Description
In Druva Phoenix, both scheduled and manual Azure VM backups fail. Additionally, the Druva Console may display the following status indicators:
Upgrade Required
Sync is disabled
When this occurs, the affected Azure subscription fails to synchronize with the Druva Console, blocking all subsequent backup operations.
Cause
This issue is caused by insufficient or missing Azure permissions required by Druva for subscription management, synchronization, and backup execution. The failure typically stems from one or both of the following roots:
Cause 1: Incomplete Azure RBAC Permissions
A custom Azure role configured with restricted or least-privilege settings may be missing the explicit permissions required to interact with virtual machines, disks, snapshots, images, or Key Vaults.
Cause 2: Missing Microsoft Graph API Permissions
The Druva Enterprise Application was not granted the required Microsoft Graph API permission: Application.Read.All. This block prevents subscription synchronization, application validation, and required upgrade operations.
Traceback
The following backend log entries typically accompany this issue:
message="could not get ekey in all connections" traceback="failed to get connectionID and locationID" message="entity does not exists: Resource not found" message="failed to get account details"
Resolution
Step 1: Update Azure RBAC Permissions
Ensure your custom Azure role includes the full set of permissions required to protect resources. For a comprehensive list, see the Druva Roles and Permissions Guide.
Verify that the following permissions are explicitly defined:
Microsoft.Compute/virtualMachines/writeMicrosoft.Compute/virtualMachines/deallocate/actionMicrosoft.Compute/virtualMachines/capture/actionMicrosoft.Compute/disks/beginGetAccess/actionMicrosoft.Compute/disks/endGetAccess/actionMicrosoft.Compute/snapshots/beginGetAccess/actionMicrosoft.Compute/snapshots/endGetAccess/actionMicrosoft.Compute/images/writeMicrosoft.KeyVault/vaults/secrets/writeMicrosoft.KeyVault/vaults/write
Step 2: Configure Microsoft Graph Permissions
Assign the following Microsoft Graph API permissions to the Druva Enterprise Application:
Application.ReadWrite.OwnedByApplication.ReadWrite.AllApplication.Read.All
Step 3: Grant Admin Consent
Log in to the Azure Portal.
Navigate to Azure Active Directory > Enterprise Applications.
Select the Druva Enterprise Application.
Go to the Permissions blade.
Click Grant Admin Consent and confirm the authorization.
Step 4: Verify Key Vault Access
Ensure that Key Vault access policies and RBAC permissions are properly aligned, allowing the Druva application to successfully access required encryption keys for the VMs.
Step 5: Force Subscription Sync
Log in to the Druva Console.
Manually trigger a subscription sync.
Once the sync completes successfully, retry the Azure VM backup.
Best Practices
Always utilize Druva-recommended Azure permission sets during initial onboarding.
Ensure Admin Consent is explicitly granted immediately after modifying Microsoft Graph permissions.
Validate Key Vault accessibility prior to enabling backups for encrypted VMs.
Periodically audit custom roles to ensure permissions remain aligned following Azure platform updates.