Complete the Guided Setup for Azure Active Directory Using the Custom Configuration

The Azure AD application is the connection Commvault Cloud uses to access data in your Azure AD tenant. Use the custom configuration option if you want to create and configure the Azure AD application yourself. The custom configuration option also allows you to assign the least privileges necessary to the application for backups so that elevated privileges required to restore data are only provided on an as needed basis.

Log On to the Azure Portal as the Global Administrator

Log on to the Azure portal using your global administrator account.
Go to Azure Active Directory (now Microsoft Entra ID).

Create the App Registration

In the navigation pane, click App registrations.

The App registrations page appears.
Click New registration.

The Register an application screen appears.
In the Name box, type a name for the app.
Under Supported account types, select Accounts in this organizational directory only (tenant_prefix -Single tenant).
Click Register.
Copy and paste the following values in a file or other document that you can access later:
- Application (client) ID
- Directory (tenant) ID
You will enter these values in the Commvault Cloud software when you create the Azure AD app.
From the left navigation pane, click Certificates & secrets.
Click New client secret.
Enter a description of the secret, and then click Add.
Copy the client secret value shown on the page as it will also be entered when you create the Azure AD app.

Assign Backup and Restore Permissions to the App

If you want to create and configure the Azure AD application yourself and want the app to have all permissions required to back up and restore objects in Azure AD, configure the app with the permissions below.

In the navigation pane, click API permissions.
Click Add a permission.

The Request API permissions page appears.
Click Microsoft Graph and complete the following steps:
1. Click Application Permissions.
2. Select the following permissions:

Category	Permission	Description
AdministrativeUnit	AdministrativeUnit.ReadWrite.All	Read and write all administrative units
Application	Application.ReadWrite.All	Read and write all applications
AppRoleAssignment	AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments
AuditLog	AuditLog.Read.All	Read all audit log data
DelegatedPermissionGrant	DelegatedPermissionGrant.ReadWrite.All	Manage all delegated permission grants
Device	Device.ReadWrite.All	Read and write devices
Directory	Directory.ReadWrite.All	Read and write directory data
Domain	Domain.ReadWrite.All	Read and write domains
Group	Group.ReadWrite.All	Read and write all groups
Policy	Policy.Read.All	Read your organization's policies
Policy	Policy.ReadWrite.ConditionalAccess	Read and write your organization's conditional access policies
RoleManagement	RoleManagement.ReadWrite.Directory	Read and write all directory RBAC settings
User	User.ReadWrite.All	Read and write all users' full profiles

c. Click Add permissions.

Click Microsoft Graph again and complete the following steps:
1. Click Delegated Permissions.
2. Select the following permissions:

Category	Permission	Description
Directory	Directory.AccessAsUser.All	Access directory as the signed in user
UserAuthenticationMethod	UserAuthenticationMethod.ReadWrite.All	Read and write all users' authentication methods

c. Click Add permissions.

For more information regarding permissions, see Microsoft Permissions.

Return to the Request API permissions page.
On the app API permissions page, click Grant admin consent for tenant_name.

Assign Least Privileges for Backups to the App

If you want to implement a least privileges approach, you can assign the app only the permissions necessary to read object information from the Azure AD tenant and create backups. If you implement this approach, it will be necessary to assign elevated permissions to the App and acquire a delegated access token each time a restore job is submitted. The delegated access token will only be requested for a restore job and will not be retained after the restore is completed. The Write permissions temporarily assigned to the App can be removed again after the restore has completed.

Note

If you assign only the Read permissions below, backup job logs may contain a warning that Write privileges are not present. This warning is informational only and can be safely ignored.

In the navigation pane, click API permissions.
Click Add a permission.

The Request API permissions page appears.
Click Microsoft Graph and complete the following steps:
1. Click Application Permissions.
2. Select the following permissions:

Category	Permission	Description
AdministrativeUnit	AdministrativeUnit.Read.All	Read all administrative units
Application	Application.Read.All	Read all applications
AppRoleAssignment	AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments
AuditLog	AuditLog.Read.All	Read all audit log data
DelegatedPermissionGrant	DelegatedPermissionGrant.Read.All	Read all delegated permission grants
Device	Device.Read.All	Read devices
Directory	Directory.Read.All	Read directory data
Domain	Domain.Read.All	Read domains
Group	Group.Read.All	Read all groups
Policy	Policy.Read.All	Read your organization's policies
Policy	Policy.Read.ConditionalAccess	Read your organization's conditional access policies
RoleManagement	RoleManagement.Read.Directory	Read all directory RBAC settings
User	User.Read.All	Read all users' full profiles

c. Click Add permissions.

Click Microsoft Graph again and complete the following steps:
1. Click Delegated Permissions.
2. Select the following permissions:

Category	Permission	Description
Directory	Directory.AccessAsUser.All	Read all administrative units
UserAuthenticationMethod	UserAuthenticationMethod.Read.All	Read all users' authentication methods

c. Click Add permissions.

For more information regarding permissions, see Microsoft Permissions.

Return to the Request API permissions page.
On the app API permissions page, click Grant admin consent for tenant_name.