Setting Up an Application and Tenant for Azure Resource Manager

To protect Azure resources with the Commvault software, you must register a new application and tenant for the Azure Resource Manager.

An application is a specific cloud service that is associated with your Azure account. A tenant is a client or an organization that manages an instance of the cloud service. The application and tenant are associated with your subscription through Azure Active Directory, which provides identity and access management for the Azure cloud.

Required Roles and Permissions

To complete the steps on this page, you must have the following roles and permissions, at a minimum:

  • Either the User Access Administrator role or the Role Based Access Control Administrator role

  • Create Custom Roles

  • Configure role assignment on your subscription

Register a New Application

  1. Log on to the public Azure portal with service administrator credentials.

    • Accounts in any organizational directory and personal Microsoft accounts
  2. To specify a redirect URI, in Redirect URI, enter https://app_name (the URL, including the application name that you specify).

    For example, enter MyWebApp and https://MyWebApp.

  3. Click Register.

    The application is listed on the App Registration tab.

  4. Record the application ID.

  5. On the the Certificates & secrets blade, click New client secret, and then enter a description and expiration date for the secret key.

  6. Click Save.

    A unique secret key is generated for the application.


    Save the secret key value, which will be your application secret. After you leave the Certificate & secrets tab/blade, you cannot retrieve the value.

  7. From the All services menu, click the Subscriptions tab, and then select the subscription ID.

Create a Custom Role That Has Limited Permissions (Optional)

You can create a custom role that has more limited permissions than the pre-defined Contributor role, either for a specific resource group or for the entire subscription.

  1. Download the JSON for the workload that you want to protect:

  2. In the JSON file, after ""assignableScopes", change the subscription ID placeholder value to your subscription ID.

  3. Create the custom role, using either the Azure portal or Azure CLI:

    • On the Azure portal, do the following:

      1. On the Access Control (IAM) tab, click Add, and then select Add role assignment.

        The Add role assignment pane appears.

      2. From the Role list, select the custom role.

      3. From the Assign access to list, select User, group, or service principal.

      4. In the Select box, enter the application name, and then select the application for protecting your Azure VMs.

      5. Click Save.

    • In the Azure CLI, do the following:

      1. Create the custom role:

        az role definition create --role-definition .\CVBackupRole.json
      2. Configure access to Azure resources:

        az ad sp create-for-rbac -n CVAzureApp --scopes /subscriptions/${Azure_subscription_ID}  --role CVBackupRole --output json --only-show-errors

Configure an Azure IAM App Using Azure CLI Using Pre-Defined Roles (Optional)

az ad sp create-for-rbac -n CVAzureApp --scopes /subscriptions/${<<Your Subscription ID>>}  --role “Contributor” --output json --only-show-errors
az ad sp create-for-rbac -n CVAzureApp --scopes /subscriptions/${<<Your Subscription ID>>}  --role “Storage Blob Data Contributor” --output json --only-show-errors

Assign the Role

  1. In the Azure portal, on the Access Control (IAM) tab, click Add, and then select Add role assignment.

    The Add role assignment pane appears.

  2. Click Save.

  3. To obtain the tenant ID (which is also the directory ID) from the public Azure cloud, go to Azure Active Directory > Properties > Directory.