Virtual machine owners can be assigned automatically during virtual machine discovery, based on privileges and roles defined in the Azure portal. To enable VM owner detection, see Updating an Azure VM Group.
When you enable owner detection, users and user groups who have the correct permissions defined in the Azure portal and also defined in Commvault are automatically assigned as VM owners for the virtual machine. During discovery, the user or user group accounts from Commvault and the Azure portal are matched by their designated e-mail accounts.
VM owner detection enables administrators and end users to access virtual machine data without requiring that they be manually assigned as VM owners. Depending on the permissions and roles that users have in the Azure portal, they can view virtual machine data or recover VM data. Any user with Remove VM, VM Power On, and VM Power Off permissions for a virtual machine is assigned as an owner of that VM during VM discovery.
Owner IDs are assigned during discovery only for streaming and IntelliSnap backups, and are not modified by backup copy or auxiliary copy operations.
Note
When you enable VM owner detection, the VM discovery operation time might increase.
Requirements for Commvault
-
Users or user groups defined in the Azure portal must also be defined in Commvault, either through a local user definition or a Domains user definition (such as an Active Directory user or group).
-
Assign permissions for VM owners as described in Assigning Permissions to Owners.
Requirements for Azure
-
Users must have a predefined role assigned to indicate that the user has access to the virtual machine. By default, the Owner or Contributor roles are considered VM owners.
-
Azure AD applications used for Commvault authentication must have the following API permission assigned:
Type: Application
Permission: Microsoft Graph.Directory.Read.All
Note
This requires Admin consent.
-
For Azure MSI, there is no option for adding permissions in the Azure portal. An Azure AD admin must add the API permission using the following PowerShell command:
Connect-AzureAD``$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"``$DirectoryReadPermission = $graph.AppRoles ``
| where Value -Like "Directory.Read.All"`| Select-Object -First 1
# Use the Object Id as shown in the image above$msi = Get-AzureADServicePrincipal -ObjectId <MSI Object Id>
New-AzureADServiceAppRoleAssignment`-Id $DirectoryReadPermission.Id
-ObjectId $msi.ObjectId ``
-PrincipalId $msi.ObjectId`
-ResourceId $graph.ObjectId`