Azure Site Recovery Cross Subscription Permissions

I recently encountered an issue setting up Azure to Azure ASR replication where the Recovery Services Vault was in different subscription to the source Virtual Machines that were being protected. Since the Recovery Services Vault was in a different subscription scope to the source resources the Service Principal that the Recovery Services Vault used did not have the required read permissions.

During initiating the Site Recovery Jobs, the following error was produced.

Error ID: 28040

Error Message: Azure error message: ‘The client ‘e486xxx-xxx-xxx-xxx247’ with object id ‘e48xxxxx-xxxx-xxxx-xxxxxc247’ does not have authorization to perform action ‘Microsoft.Network/networkInterfaces/read’ over scope ‘/subscriptions/xxxxxx-xxxx-xxxx-xxxxx/resourceGroups/ORG1A-GW/providers/Microsoft.Network/networkInterfaces/org1a-gw325′.’.

Checking the Site Recovery Jobs, there was an error during “Installing Mobility Service and preparing target” step.

What this error suggests is that a Service Principal used by ASR does not have read permission to the source network interface so that it can process the jobs that it requires.

The relevant Service Principal is the guid represented by the Object Id in the error message ‘e48xxxxx-xxxx-xxxx-xxxxxc247’.

You can confirm this with the following command: Get-AzureADObjectByObjectId -ObjectIds e48xxxxx-xxxx-xxxx-xxxxxc247 | fl

As you can see the Object ID maps to a Service Principal, and the DisplayName is “Hyper-V Recovery Manager”. We can confirm further with the following command: Get-AzureRmADServicePrincipal | where displayname -Like *hyper*

Now that we know what Service Principal we need to assign permissions to, we can refer back to the original error to determine where we need to assign the permissions. The error states that the Service Principal does not have Read permissions to the network interface. For simplicity sake, I will choose to grant the Read permissions to the entire resource group where the source VMs are located.

First, we can check the existing permissions for the “Hyper-V Recovery Manager” Service Principal and confirm that there are no permissions assigned.

Next, we will assign Read permissions for the Service Principal to the resource Group.

Now when we check the role assignment, we can see that the “Hyper-V Recover Manager” Service Principal has read permissions.

Now all the permissions are correct, we can restart the Job.

The job now progresses, and the replication is enabled.

Finally, we can check the ASR console and confirm the replication status is healthy for the VM.