VM Owner Detection for Azure

Updated

Virtual machine owners can be assigned automatically during virtual machine discovery, based on privileges and roles defined in the Azure portal. When you enable this feature in the Command Center, users and user groups who have the correct permissions defined in the Azure portal and also defined in Commvault are automatically assigned as VM owners for the virtual machine. During discovery, the user or user group accounts from Commvault and the Azure portal are matched by their designated e-mail accounts.

This feature enables administrators and end users to access virtual machine data without requiring that they be manually assigned as VM owners. Depending on the permissions and roles that users have in the Azure portal, they can view virtual machine data or recover VM data. Any user with Remove VM, VM Power On, and VM Power Off permissions for a virtual machine is assigned as an owner of that VM during VM discovery.

Owner IDs are assigned during discovery only for streaming and IntelliSnap backups, and are not modified by backup copy or auxiliary copy operations.

Note: When you enable this feature, the VM discovery operation time might increase.

Requirements

For Commvault

  • Users or user groups defined in the Azure portal must also be defined in Commvault, either through a local user definition or a Domains user definition (such as an Active Directory user or group).

  • Assign permissions for VM owners as described in Assigning Permissions to Owners.

For Azure

  • Users must have a predefined role assigned to indicate that the user has access to the virtual machine. By default, the Owner or Contributor roles are considered VM owners.

  • Azure AD applications used for Commvault authentication must have the following API permission assigned:

    Type: Application

    Permission: Microsoft Graph.Directory.Read.All

    Note: This requires Admin consent.

  • For Azure MSI, there is no option for adding permissions in the Azure portal. An Azure AD admin must add the API permission using the following PowerShell command:

    Connect-AzureAD$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"$DirectoryReadPermission = $graph.AppRoles `    | where Value -Like "Directory.Read.All" `    | Select-Object -First 1# Use the Object Id as shown in the image above$msi = Get-AzureADServicePrincipal -ObjectId <MSI Object Id>New-AzureADServiceAppRoleAssignment `    -Id $DirectoryReadPermission.Id `    -ObjectId $msi.ObjectId `    -PrincipalId $msi.ObjectId `    -ResourceId $graph.ObjectId

Procedure

To enable this feature, go to Editing VM Group Settings for Azure.