Microsoft Tenant
Refer to the instructions below to re-authorize app profiles for Microsoft tenants.
- If your tenant has an app with delegated permissions, note the following:
- According to Microsoft’s non-interactive user sign-ins, the sign-in logs show the original IP used for the original token issuance, as the IP address of non-interactive sign-ins performed by confidential clients (IBM® Storage Protect for Cloud) doesn’t match the actual original IP of the event when a Microsoft user signed in and consented to an app. If you create an app with delegated permissions, you must add the original IP address to your Microsoft tenant’s conditional access policies (if any). Otherwise, the apps with delegated permissions will be Invalid. After you add the original IP address to your conditional access policies, you can manually re-authorize the app profile to update its status or wait for IBM Storage Protect for Cloud to automatically update its status.
- For an app with delegated permissions, the related app profile needs to be re-authorized when its consent user’s Microsoft 365 account is in any of the following scenarios:
- If multi-factor authentication (MFA) is enabled on the consent user's Microsoft 365 account after the user has given consent to the custom app profile, the app profile needs to be re-authorized.
- If the consent user’s Microsoft 365 account is unavailable (e.g. the password was changed or the user left the company), the app profile will be Invalid and need to be re-authorized.
Note: To help you easily find the apps with delegated permissions, the related IBM default apps are marked with the icons as below:
- Apps that utilize both application and delegated API permissions are marked with the hybrid (
) icon. - Apps that have delegated API permissions only are marked with the purebred (
) icon
- Apps that utilize both application and delegated API permissions are marked with the hybrid (
- For a Custom Azure app / Custom Azure app with delegated permissions, you also need to re-authorize the app profile if:
- You want to change the custom Azure app that connects IBM Storage Protect for Cloud to your tenant.
- The certificate file of the custom Azure app has been changed.
- For a Delegated app used by the IBM Storage Protect for Cloud Microsoft™ 365 service, you also need to re-authorize the app profile if you want to change the functions which will use the app. When you re-authorize the Delegated app, ensure that your organization’s subscription for the IBM Storage Protect for Cloud Microsoft 365 service has included the modules you want to protect. Then, you can select desired functions from the following that are supported by the Delegated app:
- Restore Teams channel conversations as posts
- Protect Power BI
- Protect Power Automate / Power Apps
- Restore Planner task comments
Note: If your tenant is using a scan profile configured in the IBM Storage Protect for Cloud classic UI for protecting Planner data via IBM Storage Protect for Cloud Microsoft 365, you can follow the steps below to update the method of Planner data protection.
- In IBM Storage Protect for Cloud, refer to the instructions below to prepare an app profile based on your scenario:
- If you want to use a classic mode app, create/re-authorize an app profile of the Microsoft 365 (All permissions) app type, and ensure that the Microsoft Graph permission Tasks.ReadWrite.All has been added to the app.
- If you want to use a modern mode app, create an app profile of the IBM Storage Protect for Cloud Microsoft 365 (All permissions) app type.
- If you want to use a custom mode app, create an app profile of the Custom Azure app type and ensure that the Microsoft Graph permission Tasks.ReadWrite.All has been added to the custom app.
- Edit the scan profile and save it.
Note: For a scan profile configured in the IBM Storage Protect for Cloud classic UI for protecting Planner data, the authentication method in the scan profile is a service account profile or app profile with an additional delegated app profile. In the IBM Storage Protect for Cloud new UI, once this kind of scan profile has been edited, the authentication method will be updated to the app profile. Thus, you can edit and save a scan profile even without any changes.
- Go to IBM Storage Protect for Cloud Microsoft 365 to check the backup setting and ensure that the option for Planner data backup has been enabled.
- In IBM Storage Protect for Cloud, refer to the instructions below to prepare an app profile based on your scenario:
- The following apps support user consent, and you can re-authorize these apps with a non Administrator account in your Microsoft tenant. When you re-authorize one of the following apps, you can choose a consent method between Administrator consent and User consent.
Note: When you re-authorize the other apps that are not in the table below, refer to Administrator Consent.
| Service | App type (in IBM Storage Protect for Cloud |
|---|---|
| IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID | IBM Storage Protect for Cloud Azure |
| Delegated App | |
| IBM Storage Protect for Cloud for Azure DevOps | |
| IBM Storage Protect for Cloud Microsoft 365 | Delegated App |
| IBM Storage Protect for Cloud Microsoft 365 | Viva Engage |
| IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID
IBM Storage Protect for Cloud Microsoft 365 |
Custom app with delegated permissions (API Permissions Required by Custom Apps) |
Note: : You do not need any permissions or Microsoft licenses other than those listed in this guide.
Administrator Consent
Refer to the following instructions to re-authorize an app profile with a Microsoft 365 Global or a Privileged Role Administrator account.
- Select an app profile and click Re-authorize.
- Note the following when you re-authorize different app profiles:
- When you re-authorize an IBM Storage Protect for Cloud default service app for Viva Engage, you can also consent to the app with an Engage Administrator (Yammer Administrator in Microsoft Entra ID) account.
- When you re-authorize an app profile for the IBM Storage Protect for Cloud Microsoft 365 service, note the following:
- When consenting to the IBM Storage Protect for Cloud Microsoft 365 delegated app, you also need to choose the functions that will use this app. The user who consents to the app must have the Microsoft 365 Global Administrator role. For details, refer to the Required Permissions of Microsoft Delegated App section in the IBM Storage Protect for Cloud Microsoft 365 user guide.
- When consenting to a Viva Engage app profile used by IBM Storage Protect for Cloud Microsoft 365, the consent user must have the Verified Admin role and the Yammer Administrator role with the Viva Engage product license.
- When you re-authorize an app profile for a Custom Azure app / Custom Azure app with delegated permissions app, refer to the following instructions:
- Application ID – Enter the application ID of the custom app. To keep using the current app, you can get its application ID in the app profile detail page. If you want to change to another app, enter the application ID of the app that your organization has created. For additional details on creating an app, refer to Create a Custom Azure App.
- Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).
Note: Ensure this .pfx file is paired with the .cer/.crt file which is uploaded for this custom app in Microsoft Entra ID. If your organization does not have any certificates, you can create self-signed certificates by referring to Prepare a Certificate for the Custom Azure App.
- Certificate password – Enter the password of the certificate.
- Click Consent.
User Consent
The following apps support user consent, and you can re-authorize these apps with a non Administrator account in your Microsoft tenant.
Note: When you re-authorize the other apps that are not in the table below, refer to Administrator Consent.
| Service | App type (in IBM Storage Protect for Cloud) | App name (in Microsoft Entra ID) |
|---|---|---|
| IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID | IBM Storage Protect for Cloud Azure | IBM Storage Protect for Cloud Azure |
| Delegated App | IBM Storage Protect for Cloud - Delegated App | |
| IBM Storage Protect for Cloud Azure DevOps | IBM Storage Protect for Cloud Azure DevOps | |
| IBM Storage Protect for Cloud Microsoft 365 | Delegated App | IBM Storage Protect for Cloud Microsoft 365 - Delegated App |
| IBM Storage Protect for Cloud Microsoft 365 | Viva Engage | IBM Storage Protect for Cloud Administration for Viva Engage |
|
IBM Storage Protect for Cloud Microsoft 365 IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID |
Custom app with delegated permissions (API Permissions Required by Custom Apps) |
[custom app name] You can also get its application ID in the app profile detail page. |
Before you choose the User consent method, complete the following preparations:
- Ensure that your organization has granted admin consent to the app in Microsoft Entra ID. You can refer to the steps below to grant admin consent to an app:
- Log in to Microsoft Entra admin center (or Microsoft Azure portal).
- Follow the instructions below to grant admin consent to an IBM Storage Protect for Cloud app or a custom app:
- To grant admin consent to an IBM Storage Protect for Cloud app, navigate to Microsoft Entra ID > Enterprise applications, click the app, click Permissions in the Security menu, and then click Grant admin consent for [Tenant name].
- To grant admin consent to a custom app, navigate to Microsoft Entra ID > App registrations, click the app, click API permissions in the Manage menu, and then click Grant admin consent for [Tenant name].
- Refer to the following information to prepare required users who consent to the apps:
- To scan and manage Power Platform objects, the user who provides consent must have the following required license/role:
- The Power Platform Administrator role must be assigned to the user who provides consent for the app profiles for scanning Power Apps or Power Automate objects.
- The Power BI license and Fabric Administrator role must be assigned to the user who provides consent for the app profiles for scanning Power BI objects.
- To scan and manage Power Platform objects, the user who provides consent must have the following required license/role:
To re-authorize an app profile with the User consent method, refer to the steps below:
- Select an app profile and click Re-authorize.
- Note the following when you re-authorize different app profiles:
- When you re-authorize an app profile for a delegated app used by the IBM Storage Protect for Cloud Microsoft 365 service, you also need to choose the functions which will use this app.
- Application ID – Enter the application ID of the custom app. To keep using the current app, you can get its application ID in the app profile detail page. If you want to change to another app, enter the application ID of the app that your organization has created. For additional details on creating an app, refer to Create a Custom Azure App.
- Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).
Note: Ensure this .pfx file is paired with the .cer/.crt file which is uploaded for this custom app in Microsoft Entra ID. If your organization does not have any certificates, you can create self-signed certificates by referring toPrepare a Certificate for the Custom Azure App .
- Certificate password – Enter the password of the certificate.
- When you re-authorize an app profile for a delegated app used by the IBM Storage Protect for Cloud Microsoft 365 service, you also need to choose the functions which will use this app.
- Select the User consent option.
- Click Continue to consent.