The Azure AD application is the connection Commvault Cloud uses to access data in your Azure AD tenant. Use the express configuration option to have Commvault Cloud automatically create the Azure AD application, assign it all permissions required to back up and restore objects to Azure AD, and authorize the application.
Procedure
-
From the navigation pane, go to Protect > Active Directory.
The Overview page appears.
-
On the Apps tab, in the upper-right area of the page, click Add, and then click Azure AD.
The Create Azure AD App page appears.
-
From the Storage region list, select the storage region where the company is located..
-
Click Next.
The Application page appears.
-
In the Name box, enter the app name.
-
Select the Express configuration (Recommended) option.
-
Click Sign in with Microsoft.
You may be prompted to sign into the Azure AD tenant at this stage. The account you sign in with requires permissions to create Applications. A Global Administrator account has these permissions.
-
On the Application page, click Create to finalize the creation of the app.
The Create Azure App dialog box appears displaying the progress of operations.
A Microsoft window displays all the permissions that are required by the Azure app. These are itemized in the next section.
If the pop-up blocker prevents the Microsoft window from opening, allow access to the Microsoft window.
-
At the bottom of the Microsoft window, click Accept.
You are redirected to the configuration wizard.
-
In the Create Azure App dialog box, click Close, and then click Next.
The Summary page appears.
-
Click Close.
Permissions Assigned
The Express configuration wizard creates an application in the Azure AD tenant which is used to back up data from the tenant and restore objects. If you would rather create and configure the Azure AD application yourself, use the custom configuration option. The custom configuration option also allows you to assign the least privileges necessary to the application for backups so that elevated privileges required to restore data are only provided on an as needed basis.
The following permissions are assigned to the application by the Express configuration wizard:
|
Category |
Permission |
Description |
|---|---|---|
|
AdministrativeUnit |
AdministrativeUnit.ReadWrite.All |
Read and write all administrative units |
|
Application |
Application.ReadWrite.All |
Read and write all applications |
|
AppRoleAssignment |
AppRoleAssignment.ReadWrite.All |
Manage app permission grants and app role assignments |
|
AuditLog |
AuditLog.Read.All |
Read all audit log data |
|
DelegatedPermissionGrant |
DelegatedPermissionGrant.ReadWrite.All |
Manage all delegated permission grants |
|
Device |
Device.ReadWrite.All |
Read and write devices |
|
Directory |
Directory.ReadWrite.All |
Read and write directory data |
|
Directory |
Directory.AccessAsUser.All |
Access directory as the signed in user |
|
Domain |
Domain.ReadWrite.All |
Read and write domains |
|
Group |
Group.ReadWrite.All |
Read and write all groups |
|
Policy |
Policy.Read.All |
Read your organization's policies |
|
Policy |
Policy.ReadWrite.ConditionalAccess |
Read and write your organization's conditional access policies |
|
RoleManagement |
RoleManagement.ReadWrite.Directory |
Read and write all directory RBAC settings |
|
User |
User.ReadWrite.All |
Read and write all users' full profiles |
|
UserAuthenticationMethod |
UserAuthenticationMethod.ReadWrite.All |
Read and write all users' authentication methods |