Azure Disk encryption using Azure rest API (PATCH) fails RRS feed

  • General discussion

  • so i have been trying this for a while .I pass the below payload to the Patch rest API. My vault is created with ADE encryption enabled with all permissions set.

    payload1 = '{
      "properties": {
        "diskSizeGB": "",
        "encryptionSettingsCollection": {
          "enabled": "true",
          "encryptionSettings": [{
            "diskEncryptionKey": {
              "sourceVault": {
                "id": "/subscriptions/xyz/resourceGroups/xyz/providers/Microsoft.KeyVault/vaults/xyz"
              "secretUrl": "https://xyz.vault.azure.net/secrets/secret_name/version"
         "encryptionSettingsVersion": "1.1"

    I get the below error's "

    MsRestAzure::AzureOperationError: OperationNotAllowed: Cannot change the encryption settings of disk xyz while it is attached to running VM

    Also can i please get a solution with respect to rest api's to enable the ADE encryption without giving the secret name and version in the payload and azure manages it

    Thursday, May 14, 2020 4:01 AM

All replies

  • Hi ShilpanayakEcomm,

    Based off the error message and your post it looks like you're trying to encrypt your disk(s)/VM but can't update the encryption settings. 


    -What're you trying to accomplish with the "Patch" Rest API? Are you trying to encrypt your VM or disk(s)?

    -Do you have the link to the "Path" Rest API? I wasn't able to find it under current Key Vault APIs

    If you're trying to encrypt your VM using ADE you'll have to follow the attached link and walk-through the pre-requisite steps. 

    We also have a new feature called Storage Service Encryption with Customer Managed Keys (SSE+CMK), if you're trying to just encrypt your managed disks.

    Please let me know if this helps answer your question.

    Thank you.

    Wednesday, May 27, 2020 10:48 PM