We have a scenario where user got backup MUA operator role to perform critical operation as per microsoft documentation however when he is doing an activity in recovery service vault regarding backup agent cleanup he is getting error "{\"error\":{\"code\"

Arvind Thakur 0 Reputation points
2024-09-19T19:44:35.4233333+00:00

We have a scenario where user got backup MUA operator role through PIM from security Administartor to perform critical operation as per microsoft documentation however when he is doing an activity in recovery service vault regarding backup agent cleanup he is getting error "{"error":{"code":"ServiceContainerNotEmptyWithBackendMessage","message":"Unlock privilege access is needed to delete the ResourceGuard proxy "}}", We also provided higher priviledge like contributor through PIM but no joy

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,283 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 23,346 Reputation points MVP
    2024-09-22T12:01:34.3566667+00:00

    Hi Arvind Thakur,

    Thanks for reaching out to Microsoft Q&A.

    The Error servicecontainernotemptywithbackendmessage suggests that the operation the user is attempting requires unlocking privileged access to delete the Resourceguard proxy. The resourceguard proxy provides an extra layer of protection to safeguard critical operations, such as deleting backups, and specific elevated permissions are required.

    Suggested solution steps to try & narrowdown the issue:

    1. Unlock privileged access for resourceguard proxy:
    • Ensure that the user has been assigned the appropriate privileged roles related to the resourceguard configuration. Since you are encountering the error even with elevated permissions (such as contributor), it's important that the user is granted access to unlock the resourceguard proxy through the privileged access management (pim) system. This privilege is required to perform operations like backup agent cleanup.
    • Ensure the user has one of the following roles for resourceguard:
    • backup admin
    • backup operator
    • contributor for the Resourceguard itself, specifically for unlocking operations.
    1. Review privilege escalation for Resourceguard:
    • From the azure backup perspective, check whether the pim role assignments are correctly configured for the recovery Services vault and the associated Resourceguard.
    • You may need to escalate privileges temporarily for the user to the backup administrator role specifically within the resourceguard settings to perform the cleanup.
    1. Pim assignment verification:
    • Ensure that the pim-assigned role is activated and has sufficient permissions to unlock the resourceguard. Sometimes, even though the role is assigned, the activation step might be missed. Verify this in azure ad privileged identity management under the user's active roles.
    1. Resourceguard configuration check:
    • if the issue persists, check the Resourceguard policies to see if additional configuration changes are needed to allow the user to perform cleanup operations.

    Additional recommendations:

    if the error persists even after verifying the roles, try assigning the resourceguard owner role temporarily to the user and see if that allows the required operation. You may also want to check the activity log and role assignment log for any warnings or errors when the user is performing the task.

    These steps should help address the permission issues tied to the resourceguard and the recovery services vault backup agent cleanup.

    Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.