> Commvault SaaS > Active Directory > Granular Recovery for Azure Active Directory > Getting Started

Complete the Guided Setup for Azure Active Directory Using the Custom Configuration

The Azure AD application is the connection Commvault Cloud uses to access data in your Azure AD tenant. Use the custom configuration option if you want to create and configure the Azure AD application yourself. The custom configuration option also allows you to assign the least privileges necessary to the application for backups so that elevated privileges required to restore data are only provided on an as needed basis.

Important

For Azure Active Directory, you must follow the best practices below to enhance security.

  • Users must create a Microsoft Conditional Access Policy to limit app access. Please refer to KB article 87661.

  • Users must change their client secret every 90 days in the Azure portal and then update the new client secret value in the Command Center. You must also delete the previous client secret from the Azure portal.

Log On to the Azure Portal as the Global Administrator

  1. Log on to the Azure portal using your global administrator account.

  2. Go to Azure Active Directory (now Microsoft Entra ID).

Create the App Registration

  1. In the navigation pane, click App registrations.

    The App registrations page appears.

  2. Click New registration.

    The Register an application screen appears.

  3. In the Name box, type a name for the app.

  4. Under Supported account types, select Accounts in this organizational directory only (tenant_prefix -Single tenant).

  5. Click Register.

  6. Copy and paste the following values in a file or other document that you can access later:

    • Application (client) ID

    • Directory (tenant) ID

    You will enter these values in the Commvault Cloud software when you create the Azure AD app.

  7. From the left navigation pane, click Certificates & secrets.

  8. Click New client secret.

  9. Enter a description of the secret, and then click Add.

  10. Copy the client secret value shown on the page as it will also be entered when you create the Azure AD app.

Assign Backup and Restore Permissions to the App

If you want to create and configure the Azure AD application yourself and want the app to have all permissions required to back up and restore objects in Azure AD, configure the app with the permissions below.

  1. In the navigation pane, click API permissions.

  2. Click Add a permission.

    The Request API permissions page appears.

  3. Click Microsoft Graph and complete the following steps:

    1. Click Application Permissions.

    2. Select the following permissions:

      Category

      Permission

      Description

      AdministrativeUnit

      AdministrativeUnit.ReadWrite.All

      Read and write all administrative units

      Application

      Application.ReadWrite.All

      Read and write all applications

      AppRoleAssignment

      AppRoleAssignment.ReadWrite.All

      Manage app permission grants and app role assignments

      AuditLog

      AuditLog.Read.All

      Read all audit log data

      DelegatedPermissionGrant

      DelegatedPermissionGrant.ReadWrite.All

      Manage all delegated permission grants

      Device

      Device.ReadWrite.All

      Read and write devices

      Directory

      Directory.ReadWrite.All

      Read and write directory data

      Domain

      Domain.ReadWrite.All

      Read and write domains

      Group

      Group.ReadWrite.All

      Read and write all groups

      Policy

      Policy.Read.All

      Read your organization's policies

      Policy

      Policy.ReadWrite.ConditionalAccess

      Read and write your organization's conditional access policies

      RoleManagement

      RoleManagement.ReadWrite.Directory

      Read and write all directory RBAC settings

      User

      User.ReadWrite.All

      Read and write all users' full profiles

      UserAuthenticationMethod

      UserAuthenticationMethod.ReadWrite.All

      Read and write all users' authentication methods

    3. Click Add permissions.

  4. Click Microsoft Graph again and complete the following steps:

    1. Click Delegated Permissions.

    2. Select the following permissions:

      Category

      Permission

      Description

      Directory

      Directory.AccessAsUser.All

      Access directory as the signed in user

      RoleEligibilitySchedule

      RoleEligibilitySchedule.ReadWrite.Directory

      Read, update, and delete all eligible role assignments and schedules in your company's directory

    3. Click Add permissions.

    For more information regarding permissions, see Microsoft Permissions.

  5. Return to the Request API permissions page.

  6. On the app API permissions page, click Grant admin consent for tenant_name.

Assign Least Privileges for Backups to the App

If you want to implement a least privileges approach, you can assign the app only the permissions necessary to read object information from the Azure AD tenant and create backups. If you implement this approach, it will be necessary to assign elevated permissions to the App and acquire a delegated access token each time a restore job is submitted. The delegated access token will only be requested for a restore job and will not be retained after the restore is completed. The Write permissions temporarily assigned to the App can be removed again after the restore has completed.

Note

If you assign only the Read permissions below, backup job logs may contain a warning that Write privileges are not present. This warning is informational only and can be safely ignored.

  1. In the navigation pane, click API permissions.

  2. Click Add a permission.

    The Request API permissions page appears.

  3. Click Microsoft Graph and complete the following steps:

    1. Click Application Permissions.

    2. Select the following permissions:

      Category

      Permission

      Description

      AdministrativeUnit

      AdministrativeUnit.Read.All

      Read all administrative units

      Application

      Application.Read.All

      Read all applications

      AppRoleAssignment

      AppRoleAssignment.ReadWrite.All

      Manage app permission grants and app role assignments

      AuditLog

      AuditLog.Read.All

      Read all audit log data

      DelegatedPermissionGrant

      DelegatedPermissionGrant.Read.All

      Read all delegated permission grants

      Device

      Device.Read.All

      Read devices

      Directory

      Directory.Read.All

      Read directory data

      Domain

      Domain.Read.All

      Read domains

      Group

      Group.Read.All

      Read all groups

      Policy

      Policy.Read.All

      Read your organization's policies

      Policy

      Policy.Read.ConditionalAccess

      Read your organization's conditional access policies

      RoleManagement

      RoleManagement.Read.Directory

      Read all directory RBAC settings

      User

      User.Read.All

      Read all users' full profiles

      UserAuthenticationMethod

      UserAuthenticationMethod.Read.All

      Read all users' authentication methods

    3. Click Add permissions.

  4. Click Microsoft Graph again and complete the following steps:

    1. Click Delegated Permissions.

    2. Select the following permissions:

      Category

      Permission

      Description

      Directory

      Directory.AccessAsUser.All

      Read all administrative units

    3. Click Add permissions.

    For more information regarding permissions, see Microsoft Permissions.

  5. Return to the Request API permissions page.

  6. On the app API permissions page, click Grant admin consent for tenant_name.

Add an App in Commvault Cloud

  1. From the Command Center navigation pane, go to Protect > Active Directory..

    The Overview page appears.

  2. On the Apps tab, in the upper-right area of the page, click Add, and then click Azure AD.

    The Create Azure AD App page appears.

  3. From the Storage region list, select the storage region where the company is located..

  4. Click Next.

    The Application page appears.

  5. Select Custom configuration (Advanced).

  6. In the Azure app area, select an existing credential from the list or add a new credential.

    Steps to add a new credential

    1. Click the + icon.

      The Add Credential dialog box appears. The Account type, Vendor type, Authentication Type, Credential Vault, and Environment fields will be auto-populated.

    2. Enter the following details and then click Save.

      • Credential name: Provide a name for the credential in the Companyname_AZUREAD_APP1 format.

      • Application ID: Enter the Azure application ID.

      • Tenant ID: Enter the Azure tenant ID.

      • Application secret: Enter the Azure application secret.

      • Show endpoints: Click the toggle to edit the Authentication endpoint, Storage endpoint, and Resource Management endpoint.

      • Description: Enter the description for the credentials.

    Note

    You can also download the toolkit for Custom configuration from this page if you have not already configured the Azure app manually. The CVAzureADCustomConfigHelper.exe file from the toolkit will help you create the App and copy the app information requested above.

  7. Select the The Azure app is authorized from the Azure portal with all the required permissions checkbox.

  8. Click Create.

    The Summary page appears.

  9. Review the details, and then click Close.

×

Loading...