Complete the following configurations before connecting your Azure account using Commvault to discover and protect Azure resources.
To discover resources with Commvault, you can configure access to Azure resources using the Commvault Express configuration. Create a multi-tenant Azure AD application using the federated identity credentials or client secret authentication method.
Register an Azure application
To create a multi-tenant Azure AD application, do the following:
-
Log on to the Azure portal https://portal.azure.com using your global administrator account.
-
Go to Azure Active Directory.
-
From the navigation pane, click App registrations.
-
Click New registration.
-
For Name, enter CommvaultCloudDiscovery.
-
Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
-
For Redirect URI, enter the Command Center URL.
For example, enter Redirect URI: https://$[CommandCenterHost]/commandcenter/processAzureAuthToken.do
-
Click Register.
Request and grant permissions for Azure APIs
-
From the Azure navigation pane, click API permissions.
-
Click Add a permission.
-
Do the following:
-
In the Microsoft APIs tab, click Microsoft Graph, and then click Delegated permissions.
-
Search and select User.Read.
-
Click Add permissions.
For more information regarding permissions, see Microsoft Permissions.
-
-
Click Add a permission.
-
Do the following:
-
In the Microsoft APIs tab, click Azure Service Management, and then click Delegated permissions.
-
Select user_impersonation to provide delegated permissions to access Azure Service Management as organization users.
-
Click Add permissions.
-
Azure Express configuration using federated identity credentials
Express configuration uses federated identity credentials (managed identity), which is the most secure authentication method because it does not require an Azure secret key or certificate.
Important
To use the FIC approach, your CommServe VM must be hosted in the Azure-only environment.
Configure a managed identity
Create a user-assigned managed identity in Azure and assign it to the CommServe VM. For more information, see Configuring Access to Azure Resources Using a Managed Identity.
Important
-
The managed identity must be available in the same subscription as the CommServe VM.
-
The user-assigned identity must be assigned to all the production and standby CommServe VMs.
Configure federated identity credentials on Azure application
Federated credentials allow the Azure application to authenticate using the managed identity. Do the following:
-
Log in to the Microsoft Entra admin center.
-
From the navigation pane, go to App registrations, and select your application.
-
From the left pane, select Certificates & secrets.
-
On the Federated credentials tab, click Add credential.
-
From the Federated credential scenario list, select Managed Identity.
-
The Issuer and Subject identifier fields are auto-populated.
-
For Name, enter the credential name.
-
For Audience, enter
api://AzureADTokenExchange, and click Add.
For more information, see Configure a federated identity credential on an application article on Microsoft website.
Enable system-assigned managed identity
For Azure resource used as managed identity object, the system-assigned managed identity must be enabled. To enable system-assigned managed identity for the CommServe VM, do the following:
-
In the Azure portal, open the CommServe VM.
-
From the left navigation pane, go to Identity.
-
Under System assigned, set Status to On.
For instructions, see Configure managed identities on Azure virtual machines (VMs) article on Microsoft website.
-
Click Save.
Create credentials in Commvault Credential Vault
Managed identity credentials
To create managed identity credentials in the Credential Vault, see Adding a Credential to a Built-in Credential Vault.
Use the following custom values:
|
Field |
Value / Description |
|---|---|
|
Account type |
Cloud Account |
|
Vendor type |
Microsoft Azure |
|
Authentication type |
Managed Identity |
|
Credential name |
CloudDiscovery_$[CS_VM_name] |
|
Object ID |
The user-defined managed identity object id. |
|
Show endpoints |
Enable the toggle key. |
|
Management endpoint |
|
|
Description |
This is the managed identity for cloud discovery $[CS_VM_name]. |
Federated identity credentials
To create FIC in the Credential Vault, see Adding a Credential to a Built-in Credential Vault.
Use the following custom values:
|
Field |
Value / Description |
|---|---|
|
Account type |
Cloud Account |
|
Vendor type |
Microsoft Azure |
|
Authentication Type |
App Registration (Federated) |
|
Credential name |
Azure Multi Tenant App Cloud Discovery |
|
Application ID |
The application ID. |
|
Tenant ID |
The application tenant ID. |
|
Application Name |
The name of the application. |
|
Managed Identity Credential |
The FIC credential value. |
|
Description |
This is the federated credential for cloud discovery. |
Azure Express configuration using client secret authentication
If your CommServe VM is hosted in self-managed cloud or on-prem environments, complete the configurations described in this section.
Create a client secret for the Azure App
-
From the Azure navigation pane, click Certificates & secrets.
-
Click New client secret.
-
Enter the key description and expiration date.
-
Click Add.
-
Record the key value.
Important
The key value will be your application password. After you leave the Certificate & secrets section, you cannot retrieve the key value.
Create credentials in Commvault Credential Vault
To create credentials in the Credential Vault, see Adding a Credential to a Built-in Credential Vault.
Use the following custom values:
|
Field |
Value / Description |
|---|---|
|
Account type |
Cloud Account |
|
Vendor type |
Microsoft Azure |
|
Authentication Type |
App Registration (Secret) |
|
Credential name |
Azure Multi Tenant App Cloud Discovery |
|
Application ID |
The application ID. |
|
Tenant ID |
The application tenant ID. |
|
Application secret |
Enter the application secret. |
|
Description |
This is Azure multi tenant credential for cloud discovery. |