> Software > Applications > Active Directory > Granular recovery for Azure Active Directory > Getting Started > Adopt Best Security Configuration

Update Single Tenant Apps with Conditional Access Policy for Azure Active Directory

Applies to only managed cloud deployments

Security Requirements

All app registrations must:

  • Use the Federated Identity Credentials (FIC)–based authentication mechanism.

  • Have appropriate Conditional Access policies configured and enforced.

Use these steps to update the security configuration of your single tenant apps to align with current security best practices.

Before You Begin

Identify if your Azure Active Directory backup app is using one or more single-tenant apps.

Procedure

If your app uses single-tenant apps, perform the following steps:

Step 1: Identify Single Tenant Apps

  1. From the Command Center navigation pane, go to Protect > Active Directory.

    The Overview page appears.

  2. On the Apps tab, locate the Azure AD app that you want to update.

  3. Go to the configuration page of the backup app.

  4. Identify the existing single tenant apps listed on the configuration page and note down the Azure app ID for each app.

Step 2: Update Permissions in Azure Portal

For each of the single tenant apps, perform the following steps in the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to Azure Active Directory > App registrations.

  3. Locate the single tenant app using the Azure app ID you noted earlier.

  4. Click on the app to open its details.

  5. In the left navigation, click API permissions.

  6. Add the following permissions:

    1. Click Add a permission.

    2. Select Microsoft Graph.

    3. Select Application permissions.

    4. Search for and add Policy.Read.All.

    5. Click Add permissions.

    6. Repeat the above steps to add Application.ReadWrite.OwnedBy permission.

  7. Remove the Application.ReadWrite.All permission if it is present:

    1. In the API permissions list, locate Application.ReadWrite.All.

    2. Click the three dots (...) next to the permission.

    3. Click Remove permission.

    4. Confirm the removal.

  8. Grant admin consent for the app:

    1. At the top of the API permissions page, click Grant admin consent for [Your Organization].

    2. Click Yes to confirm.

    3. If you choose to assign this permission to your Azure app, you may need to run this PowerShell command to add the Azure app as owner of itself:

    az ad app owner add --id 062f19f5-9dbf-48fe-adf7-94539bd3fa8e --owner-object-id 55f5965a-48bd-49ee-bcbd-21a55bd18af1

    Where: - 062f19f5-9dbf-48fe-adf7-94539bd3fa8e: Replace with the Application (client) ID of your Azure app - 55f5965a-48bd-49ee-bcbd-21a55bd18af1: Replace with the Object ID of your Azure app

Step 3: Configure Conditional Access Policy

Configure a Conditional Access Policy (CAP) for your single tenant apps. For detailed instructions, see Create a Conditional Access Policy for Azure Active Directory Apps.

What to Do Next

Recommendation

For better security posture, consider migrating to Commvault hosted multi-tenant apps via express configuration instead of single tenant apps. Multi-tenant apps use Federated Identity Credentials (FIC) which do not require app secrets or certificates, providing enhanced security.

After completing these steps, your single tenant apps will meet current security standards. Monitor the configuration page for any additional security notifications.

×

Loading...