Enable Backup
To use IBM® Storage Protect for Cloud Azure VMs, Storage, and Entra ID to protect Microsoft Entra ID, Azure VMs, Azure Storage, Admin Portal Settings, Azure SQL, Azure DevOps, or Azure AD B2C, you must connect your Microsoft tenant to IBM Storage Protect for Cloud. For details, refer to Connect your tenants to IBM Storage Protect for Cloud.
Note the following before you enable the backup:
- Before you enable the backup service for Azure VM, Azure Storage, or Azure SQL, you can register
a Microsoft Delegated app in your tenant or use a custom Azure app with
delegated permissions, and then add this app to the subscriptions where the VM, storage, or database
to protect resides and grant the app the Contributor role or a custom role
with equivalent permissions. For details, refer to Enable the Backup for Azure Virtual Machines, Azure Storage, and Azure SQL.Note:
- If your storage account has disabled the “Allow storage account key access” feature, the app must also have the Storage Blob Data Contributor role to the subscription or storage account, in addition to the Contributor role to protect the Azure Blob Storage, and in this case the Azure File Storage is not supported.
- The Azure virtual machines that can be protected by Virtual Machine service must be hosted by Azure, which may be created with your pre-defined and endorsed settings or using the recommended defaults that match your workload.
- If the Azure storage account that you want to protect has enabled the firewall, complete the settings as instructed in Allow IBM Storage Protect for Cloud Agent Servers to Access Your Storage Account. Note that the data in the Azure storage archive tier cannot be protected as the IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID cannot read or download a blob in the Archive tier. You must manually rehydrate the archive data that you want to protect to the online tier (cold, cool, or hot tier).
- Before you use the backup service for Microsoft Entra ID or Admin Portal Settings, you must
create a Service app for IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID
or use a custom Azure app to grant consent with the required permissions. For details, refer to
Enable Backup for Microsoft Entra ID or Admin Portal Settings.Note the following:
- If you want to backup and restore Distribution lists or Mail-enabled security
groups in Microsoft Entra ID, or protect the Microsoft 365 Defender or Exchange settings
through Admin Portal Settings service, you can choose to prepare a service
account profile with a Global Administrator or Exchange Administrator, or you can go to the
Microsoft Entra admin center (Azure portal) to assign the Exchange administrator role to this
service app. For details on assigning an app the Exchange administrator role, refer to How to Assign the Exchange Administrator Role to an App?. For details on configuring a service account profile,
refer to Create a Service Account Profile. Note that the service account with MFA enabled is currently
not supported. Note: If you are using a custom Azure app for Microsoft Entra ID or Admin Portal Settings service and you do not want to assign Global administrator or Exchange administrator role to the app, refer to the instructions in Create a Custom Role Group to create a role group with the minimum permissions. This configuration is only applicable to the custom app.
- To restore a temporarily deleted user or group that has access to the Microsoft 365 admin center, the service account or the service app must be assigned with a Global administrator role.
- To back up and restore the Self Service Group Management settings for Microsoft Entra ID > Group General, you must have a service account profile configured in the IBM Storage Protect for Cloud interface and the service account you use must have the Cloud Application Administrator role. Note that if you only want to back up this property, the Cloud Application Administrator role is not required.
- To back up and restore the Attributes and Claims, Identifier (Entity ID), currentSingleSignOnMode, ParentAppId, or IsCustomApp the SSO configuration for the enterprise applications, you must have a service account profile configured in the IBM Storage Protect for Cloud interface and the service account you use must have the Application Administrator role. Note that if you only want to back up this property, the Application Administrator role is not required.
- If you want to backup and restore Distribution lists or Mail-enabled security
groups in Microsoft Entra ID, or protect the Microsoft 365 Defender or Exchange settings
through Admin Portal Settings service, you can choose to prepare a service
account profile with a Global Administrator or Exchange Administrator, or you can go to the
Microsoft Entra admin center (Azure portal) to assign the Exchange administrator role to this
service app. For details on assigning an app the Exchange administrator role, refer to How to Assign the Exchange Administrator Role to an App?. For details on configuring a service account profile,
refer to Create a Service Account Profile. Note that the service account with MFA enabled is currently
not supported.
- Before you use the backup service for Azure DevOps, you must create a service app or use a custom Azure app to grant consent with the required permissions. For details, refer to Enable the Backup for Azure DevOps.
- Before you use the backup service for Azure AD B2C, you must create a service app or use a custom Azure app to grant consent with the required permissions. For details, refer to Enable the Backup for Azure AD B2C