Managed identities is a more secure authentication method for Azure cloud services that allows only authorized managed-identity-enabled virtual machines to access your Azure subscription. Also, the process of creating an Azure client is simpler because you need only the Subscription ID, not the Tenant ID, the Application ID, or the Application Password.
Note: You can convert clients that were created using the traditional method to managed-identity-enabled clients.
Before You Begin
Verify that your environment meets the following requirements:
User: You must have Service Administrator role privileges.
Permissions: To back up Azure VMs that have been encrypted using Azure Key Vault, you need to provide the required permissions. For more information, see Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.
Hardware: The VSA proxies that you want to enable managed identities for must be virtual machines in the Azure cloud. You can associate These virtual machines with different subscriptions. However, you (as the Admin) must have access to all of the subscriptions for these VSA proxies.
Operating system: You can use Windows and Linux machines as Azure proxies.
Collect the following information for your Azure account:
The Subscription ID
User credentials that have Service Administrator capabilities
Log on to the Azure portal (http://portal.azure.com).
In the left navigation pane, click Virtual machines.
From the list of virtual machines, search for the virtual machine that has the virtual server agent (VSA) installed.
When you find the virtual machine that you want to enable with a managed identity, record the Subscription and Resource Group.
Click the virtual machine name.
The Virtual machine blade appears.
Click the Identity tab.
The Identity pane appears with the System assigned tab active.
To register the virtual machine with Azure Active Directory, which enables managed identity authentication for the VM, click On, and then click Save.
To enable managed identity for additional virtual machines, repeat steps 2-7 .
In the left navigation pane, click Subscriptions.
For each subscription, from the list of subscriptions, click the subscription for the managed identity-enabled virtual machines.
The Subscriptions blade appears.
On the Access control (IAM) tab, click Add, and then select Add role assignment.
The Add role assignment pane appears.
On the Role tab, complete the following:
If you do not want to restrict access, select Contributor.
If you do want to restrict access, assign a customized role (CVBackupRole.json)
For MySQL and PostgreSQL databases on Azure, use CvMySQLPostGreSQLCustomRole.json.
For a SQL database on Azure, use CvAzureSQLCustomRole.json.
On the Members tab, complete the following:
For Assign access to, select Managed Identity.
Click Select members.
In the Select managed identities pane, enter the following information:
Subscription: Select the subscription for the managed identity-enabled virtual machines.
Managed identity: Select Virtual machine from the drop down list.
Select: Select the managed identity-enabled virtual machines that you want to assign the specified role.
On the Review + assign tab, verify that all the managed identity-enabled virtual machines are selected members of the subscription.
If you are configuring a Linux proxy, you must add another role assignment, and select Storage Blob Data Contributor as the role.