Configuring Access to Your Azure Subscription

To protect Azure resources with the Commvault software, you must create a new Azure app registration and configure access to the app. For access to the app, you can use a custom role for least privilege, or you can use Azure built-in roles.

Prerequisites

To complete the tasks on this page, certain Azure built-in roles are required:

//// html | tr

////

Task	Required Azure built-in roles
Create a new Azure app registration	One or more of the following roles: Application Administrator Application Developer Cloud Application Administrator
Create a custom role	Role User Access Administrator
Configure access to the Azure app	Role Based Access Control Administrator

Task

Required Azure built-in roles

Create a new Azure app registration

One or more of the following roles:

Application Administrator
Application Developer
Cloud Application Administrator

Create a custom role

Role User Access Administrator

Configure access to the Azure app

Role Based Access Control Administrator

For configuration using the command line, verify that you have latest version of Azure CLI or Azure PowerShell.

Create a New Azure App Registration

Using the Azure Portal

Log on to the public Azure portal with service administrator credentials.
From the All services menu, select the App registrations tab, and then click on New registration.
In Name, enter the name of the application to create on Azure Active Directory.

For example, enter My App.
For Account type, select the type of account, which determines who can use the application.
To specify a redirect URI, in Redirect URI (optional), select Web, and then enter the URI that the access token is sent to.

For example, enter https://my_org.org/my_app.
Click Register.

The application is listed on the App Registration tab.
Record the application ID.
On the Certificates & secrets blade, click New client secret, and then enter a description and expiration date for the client secret.
Click Save.

A unique client secret is generated for the application.
Important: Save the client secret, which will be your application secret. After you leave the Certificate & secrets blade, you cannot retrieve the value.

Using the Azure PowerShell

Create the app registration:

$sp = New-AzADServicePrincipal -DisplayName ServicePrincipalName

Get the client secret:
```
$sp.PasswordCredentials.SecretText
```

Assign Roles

You can use a custom role for least privilege, or you can use Azure built-in roles.

Use a Custom Role for Least Privilege

Download the JSON File and Update It With Your Azure Subscription ID

Download the JSON for the Azure workload that you want to protect and the Azure interface that you want to use:

Workload	Azure Portal JSON	Azure CLI/Azure PowerShell JSON
Azure databases: Azure MariaDB Azure MySQL Azure PostgreSQL Azure SQL Azure SQL Managed Instance	AzureDBBackupRole.json	Not available yet
Azure VMs, encrypted	CVBackupRole-Encryption.json	Not available yet
Azure VMs, unencrypted	CVBackupRole.json	CVBackupRole_CLI.json

Workload

Azure Portal JSON

Azure CLI/Azure PowerShell JSON

Azure databases:

Azure MariaDB
Azure MySQL
Azure PostgreSQL
Azure SQL
Azure SQL Managed Instance

AzureDBBackupRole.json

Not available yet

Azure VMs, encrypted

CVBackupRole-Encryption.json

Not available yet

Azure VMs, unencrypted

CVBackupRole.json

CVBackupRole_CLI.json

Important: In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.
Save the file.

Assign the Custom Role

Using the Azure Portal

From the All services menu, click the Subscriptions tab, and then select your subscription ID.
On the Access Control (IAM) tab, click Add, and then select Add role assignment.

The Add role assignment pane appears.
From the Role list, select the custom role.
From the Assign access to list, select User, group, or service principal.
In the Select box, enter the application name, and then select the application for protecting your Azure workload.
Click Save.

Azure CLI

Create the custom role:
```
az role definition create --role-definition .\JSON_file.json
```
Where JSON_file is the name of the JSON file.
Configure access to Azure resources:
```
az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role JSON_file --output json --only-show-errors
```
Where:
- Azure_app is the name of your Azure app.
- Azure_subscription_ID is the ID of your Azure subscription.
- JSON_file is the name of the JSON file.

Azure PowerShell

Ceate the custom role:
```
New-AzRoleDefinition -InputFile "JSON_file.json"
```
Where JSON_file is the name of the JSON file.
Assign the role to the subscription:
```
New-AzRoleAssignment -ObjectId Object_ID -RoleDefinitionName JSON_file -Scope /subscriptions/Azure_subscription_ID
```
Where:
- Object_ID is the ID of the object.
- JSON_file is the name of the JSON file.
- Azure_subscription_ID is the ID of your Azure subscription.

Use Azure Built-In Roles

Using the Azure Portal

In the Azure portal, on the Access Control (IAM) tab, click Add, and then select Add role assignment.

The Add role assignment pane appears.

From the Role list, select the roles that are required for the workload:

Workload	Roles to assign in the Azure Portal
The following databases: Azure CosmosDB Azure MariaDB Azure MySQL Azure PostgreSQL	Contributor Blob Storage Contributor
The following databases: Azure SQL Azure SQL Managed Instance	SQL Server Contributor SQL Managed Instance Contributor Blob Storage Contributor
Azure VMs, encrypted	Not available yet
Azure VMs, unencrypted	Contributor Storage Blob Data Contributor

For Azure Blob and Azure Data Lake Storage Gen2, select the Reader and Storage Blob Data Owner roles.

For Azure File shares, the following roles must be configured:

Storage Blob Data Owner and Storage File Data Privileged Contributor at the storage account level
Storage Account Contributor and Microsoft.Storage/storageAccounts/read at the subscription level.

From the Assign access to list, select User, group, or service principal.
For Members, do the following:
1. Click Select members.
  
  The Select members blade appears.
2. In the Select box, start typing to select the application that you created in the preceding step.
Click Save.
To obtain the tenant ID (which is also the directory ID) from the public Azure cloud, go to Azure Active Directory > Properties > Directory.
To protect Azure resources with your own storage account, repeat the preceding steps to add the Storage Blob Data Contributor role.

Using the Azure CLI

Use the following command to assign roles:
```
az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role “role” --output json --only-show-errors
```
Where:

- Azure_app is the name of your Azure app.

- Azure_subscription_ID is the ID of your Azure subscription.

- role is the role to assign.

Assign the roles that are required for the workload:

Workload	Roles to assign in Azure CLI/Azure PowerShell
The following databases: Azure CosmosDB Azure MariaDB Azure MySQL Azure PostgreSQL	Contributor Blob Storage Contributor
The following databases: Azure SQL Azure SQL Managed Instance	Blob Storage Contributor Role SQL Managed Instance Contributor SQL Server Contributor
Azure VMs, unencrypted	Storage Blob Data Contributor
Azure VMs, encrypted	Not available yet

Using the Azure PowerShell

Use the following command to assign roles:
```
New-AzRoleAssignment -ApplicationId $sp.AppId -RoleDefinitionName 'role'
```
Where role is the role to assign.

Assign the roles that are required for the workload:

Workload	Roles to assign in Azure CLI/Azure PowerShell
The following databases: Azure CosmosDB Azure MariaDB Azure MySQL Azure PostgreSQL	Contributor Blob Storage Contributor
The following databases: Azure SQL Azure SQL Managed Instance	Blob Storage Contributor Role SQL Managed Instance Contributor SQL Server Contributor
Azure VMs, unencrypted	Storage Blob Data Contributor
Azure VMs, encrypted	Not available yet