> Software > Applications > Active Directory > Granular recovery for Azure Active Directory > Getting Started

Use the Custom Configuration to Add Azure Apps

The Azure Active Directory application is the connection Commvault uses to access data in your Azure AD tenant. If you do not want to use the Commvault hosted multi-tenant apps configured via express configuration (which is recommended), you can use the custom configuration option.

Before using the custom configuration, you must register the Azure app for Azure Active Directory with Azure AD. You can either perform the app registration manually on the Azure portal or you can use the configuration helper tool to automate the app registration. However, if multi-factor authentication is enabled for your global administrator account, you must manually create the Azure Active Directory application.

Log On to the Azure Portal as the Global Administrator

  1. Log on to the Azure portal using your global administrator account.

  2. Go to Azure Active Directory (now Microsoft Entra ID).

Create the App Registration

  1. In the navigation pane, click App registrations.

    The App registrations page appears.

  2. Click New registration.

    The Register an application screen appears.

    Important

    You must create a Microsoft Conditional Access Policy to limit app access. For more information, see Create a Conditional Access Policy for Azure Active Directory Apps.

  3. In the Name box, type a name for the app.

  4. Under Supported account types, select single tenant only (tenant_prefix)**.

  5. Click Register.

  6. Copy and paste the following values in a file or other document that you can access later:

    • Application (client) ID

    • Directory (tenant) ID

    You will enter these values in the Commvault Cloud software when you create the Azure AD app.

  7. From the left navigation pane, click Certificates & secrets.

  8. Click New client secret.

  9. Enter a description of the secret, and then click Add.

  10. Copy the client secret value shown on the page as it will also be entered when you create the Azure AD app.

Assign Backup and Restore Permissions to the App

If you want to create and configure the Azure AD application yourself and want the app to have all permissions required to back up and restore objects in Azure AD, configure the app with the permissions below.

  1. In the navigation pane, click API permissions.

  2. Click Add a permission.

    The Request API permissions page appears.

  3. Click Microsoft Graph and complete the following steps:

    1. Click Application Permissions.

    2. Select the application permissions for backup and restore.

    3. Click Add permissions.

  4. Click Microsoft Graph again and complete the following steps:

    1. Click Delegated Permissions.

    2. Select the delegated permissions for backup and restore.

    3. Click Add permissions.

    For more information regarding permissions, see Microsoft Permissions.

  5. Return to the Request API permissions page.

  6. On the app API permissions page, click Grant admin consent for tenant_name.

Assign Least Privileges for Backups to the App

If you want to implement a least privileges approach, you can assign the app only the permissions necessary to read object information from the Azure AD tenant and create backups. If you implement this approach, it will be necessary to assign elevated permissions to the App and acquire a delegated access token each time a restore job is submitted. The delegated access token will only be requested for a restore job and will not be retained after the restore is completed. The Write permissions temporarily assigned to the App can be removed again after the restore has completed.

Note

If you assign only the Read permissions below, backup job logs may contain a warning that Write privileges are not present. This warning is informational only and can be safely ignored.

  1. In the navigation pane, click API permissions.

  2. Click Add a permission.

    The Request API permissions page appears.

  3. Click Microsoft Graph and complete the following steps:

    1. Click Application Permissions.

    2. Select the least application permissions for backup only.

    3. Click Add permissions.

  4. Click Microsoft Graph again and complete the following steps:

    1. Click Delegated Permissions.

    2. Select the least delegated permissions for backup only.

    3. Click Add permissions.

    For more information regarding permissions, see Microsoft Permissions.

  5. Return to the Request API permissions page.

  6. On the app API permissions page, click Grant admin consent for tenant_name.

Note

If support for additional objects has been added since the Azure App was created using Custom Configuration, new permissions required to protect those objects will not be automatically added. To ensure the Azure App has the necessary permissions to protect all objects supported by Commvault, review the permissions assigned to the App registration to ensure all permissions above have been assigned.

Add an App for Azure Active Directory

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Active Directory..

    The Overview page appears.

  2. On the Apps tab, in the upper-right area of the page, click Add, and then click Azure AD.

  3. Click Next.

    The Region page of the Create Azure AD App wizard appears.

Region

  1. From the Storage region list, select the storage region where the company is located..

  2. Click Next.

    The Application page appears.

Application

  1. In the Name box, enter a name for the app.

  2. From the Cloud region list, select the region where the company is located.

  3. Select Custom configuration (Advanced).

  4. In the Azure app area, select an existing credential from the list or add a new credential.

    Steps to add a new credential

    1. Click the + icon.

      The Add Credential dialog box appears. The Account type, Vendor type, Authentication Type, Credential Vault, and Environment fields will be auto-populated.

    2. Enter the following details and then click Save.

      • Credential name: Provide a name for the credential in the Companyname_AZUREAD_APP1 format.

      • Application ID: Enter the Azure application ID.

      • Tenant ID: Enter the Azure tenant ID.

      • Application secret: Enter the Azure application secret.

      • Show endpoints: Click the toggle to edit the Authentication endpoint, Storage endpoint, and Resource Management endpoint.

      • Description: Enter the description for the credentials.

    Note

    You can also download the toolkit for Custom configuration from this page if you have not already configured the Azure app manually. The CVAzureADCustomConfigHelper.exe file from the toolkit will help you create the App and copy the app information requested above.

  5. Select the The Azure app is authorized from the Azure portal with all the required permissions checkbox.

    Important

    A Conditional Access Policy must be enabled for the selected or newly created Azure app. Without it, you won’t be able to add or create an Azure app. For more information, see Create a Conditional Access Policy for Azure Active Directory Apps.

  6. Select the The Azure app has been configured with the required conditional access policies. checkbox.

  7. Click Create.

    The Summary page appears.

  8. Review the details, and then click Close.

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Active Directory..

    The Overview page appears.

  2. On the Apps tab, in the upper-right area of the page, click Add, and then click Azure AD.

  3. Click Next.

    The Backup plan page of the Create Azure AD App wizard appears.

Backup Plan

  1. Select an existing backup plan to back up the Azure AD server or create a new one.

  2. Click Next.

    The Infrastructure page appears.

Infrastructure

  1. From the Index server list, select the index server to use for the app.

  2. From the Access node list, select the access node to use for the app.

  3. Click Next.

    The Application Details page appears.

Application Details

  1. In the Name box, enter a name for the app.

  2. From the Azure AD cloud region list, select the region where the company is located.

  3. Select the Custom configuration (Advanced) option.

    You can download the toolkit for Custom configuration from this page if you have not already configured the Azure app manually.

  4. In the Azure app area, select an existing credential from the list or add a new credential.

    Steps to add a new credential

    1. Click the + icon.

      The Add Credential dialog box appears. The Account type, Vendor type, Authentication Type, Credential Vault, and Environment fields will be auto-populated.

    2. Enter the following details and then click Save.

      • Credential name: Provide a name for the credential in the Companyname_AZUREAD_APP1 format.

      • Application ID: Enter the Azure application ID.

      • Tenant ID: Enter the Azure tenant ID.

      • Application secret: Enter the Azure application secret.

      • Environment: Select the Azure cloud environment where your application or service is hosted.

      • Show endpoints: Move the toggle key to the right, and then provide the authentication, storage, and management endpoints.

      • Description: Enter the description for the credentials.

      Note

      You can also download the toolkit for Custom configuration from this page if you have not already configured the Azure app manually. The CVAzureADCustomConfigHelper.exe file from the toolkit will help you create the App and copy the app information requested above.

    Important

    A Conditional Access Policy must be enabled for the selected or newly created Azure app. Without it, you won’t be able to add or create an Azure app. For more information, see Create a Conditional Access Policy for Azure Active Directory Apps.

  5. Select the The Azure app is authorized from the Azure portal with all the required permissions. checkbox.

  6. Click Create.

    The Summary page appears.

  7. Click Close.

×

Loading...