AZR0002: Out of place VM restore to different region might fail when source VM is encrypted


On this page


When an out-of-place VM is restored to a different region under the same subscription, the restore might fail if the Azure virtual client is authenticated with Managed Identity.


During an out-of-place VM restore job of an encrypted VM to a different region, the restore process will automatically create a new Key Vault with the name format, [SourceKeyVaultName+RegionName]. After successfully creating the Key Vault during the restore job, the restore job will automatically assign the required minimum permission for the Azure AD application to restore the backed up keys and secrets. However, this is not possible if the Azure virtual client is created using Managed Identity. The job might fail with the following error.

Error Code: [91:79]

Description: Unable to create a new virtual machine [MSICU] on host [centralrg] datastore [centralrgdiag]. [Failed to setup encryption settings for the VM]

Source: AzureProxyV2CS, Process: vsrst


  • Create a new Key Vault or search for an existing Key Vault that the restore process might have created under the destination region with name format [SourceKeyvaultname+regionname].

  • Assign the required permissions to the Managed Identity-enabled virtual machine to the new key vault in the destination region as described in Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.

  • Retry the restore job; the VM should restore successfully.