Enable managed identities on Recovery Services vault

This article describes how to enable system‑assigned and user‑assigned managed identities with a vault so Azure Backup can authenticate to dependent Azure resources without storing credentials. The vault uses a managed identity, which acts as a Microsoft Entra ID service principal, and you grant it Azure role‑based access control (Azure RBAC) permissions on target resources such as protected data sources and Azure Key Vault encryption keys.

Azure Backup uses this identity to obtain Microsoft Entra tokens at runtime, eliminating credential handling while enabling secure access at no extra cost. The article also explains when to use each identity type and how their lifecycle and assignment differ.

Supported managed identity types

Azure Backup supports system-assigned and user-assigned managed identities. You can enable both managed identity types on the same vault at the same time.

Managed identity type	Consideration
System-assigned	Created automatically when the vault is provisioned and enabled by default. Lifecycle is tied to the vault - deleted when the vault is deleted. Exactly one system-assigned identity exists per vault. Can be disabled; any operation that depends on it fails until it is re-enabled or replaced by a user-assigned identity with equivalent roles. Note that the system-assigned identity has the same name as the vault. Use the object ID from the Identity blade for automation.
User-assigned	An independent Azure resource that you create and manage separately from the vault. Can be attached to many vaults; multiple user-assigned identities can be attached to a single vault. Lifecycle is decoupled from the vault - deleting the vault does not delete the identity. Recommended for fleet-scale deployments, standardized RBAC, and pre-provisioned identities.

Managed identity type

Consideration

System-assigned

Created automatically when the vault is provisioned and enabled by default.
Lifecycle is tied to the vault - deleted when the vault is deleted.
Exactly one system-assigned identity exists per vault.
Can be disabled; any operation that depends on it fails until it is re-enabled or replaced by a user-assigned identity with equivalent roles.

Note that the system-assigned identity has the same name as the vault. Use the object ID from the Identity blade for automation.

User-assigned

An independent Azure resource that you create and manage separately from the vault.
Can be attached to many vaults; multiple user-assigned identities can be attached to a single vault.
Lifecycle is decoupled from the vault - deleting the vault does not delete the identity.
Recommended for fleet-scale deployments, standardized RBAC, and pre-provisioned identities.

Key differences between system-assigned and user-assigned managed identities

The following table provides a comparison summary of system-assigned and user-assigned managed identities.

Consideration	System-assigned	User-assigned
Lifecycle	Tied to the vault; deleted with it	Independent; persists across vault changes
Cardinality	One per vault	Many per vault; sharable across vaults
Typical use case	Single-vault deployments, simplest setup	Fleet deployments, standardized RBAC, pre-provisioned identities
Enable at vault creation	Not supported; enable after the vault is created	Supported on Backup vault at creation

Prerequisites

Before you enable managed identities for the vault, review the following prerequisites:

Check that a vault exists, or permission to create one.
Verify that your account has the Backup Contributor role (or equivalent) on the vault to manage identity and assign roles.
Identify the resource group of each downstream resource (disk, storage account, key vault, and so on) to scope role assignments correctly.

Enable managed identity

You can enable managed identities for a Recovery Services vault using the Azure portal, Azure CLI, or PowerShell.

Choose a client:

To enable managed identities for a Recovery Services vault using the Azure portal, follow these steps:

Go to your Recovery Services vault and select Settings > Identity
On the Identity pane, for a system-assigned identity, select the System assigned tab, set Status to On, and select Save
For a user-assigned identity, select the User assigned tab, select + Add, choose the subscription and identity, and select Add

To update managed identity for a Recovery Services Vault using CLI, run the following command:

az backup vault identity assign --resource-group <rg> --name <vault> --system-assigned

az backup vault identity assign --resource-group <rg> --name <vault> --user-assigned <uami-resource-id>

See more CLI commands.

To update managed identity for a Recovery Services Vault using PowerShell, run the following cmdlet:

Update-AzRecoveryServicesVault -ResourceGroupName <rg> -Name <vault> -IdentityType SystemAssigned

$vault = Get-AzRecoveryServicesVault -Name "vaultName" -ResourceGroupName "resourceGroupName" 
$identity1 = Get-AzUserAssignedIdentity -ResourceGroupName "resourceGroupName" -Name "UserIdentity1" 
$identity2 = Get-AzUserAssignedIdentity -ResourceGroupName "resourceGroupName" -Name "UserIdentity2" 
$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType UserAssigned -IdentityId $identity1.Id, $identity2.Id 
$updatedVault.Identity | Format-List

See more PowerShell cmdlets.

Next steps

Manage Recovery Services vault.

Last updated on 2026-05-22