Create an App Profile

Before creating an app profile, refer to the Apps Required by Services section to see which apps are required by the services that your organization uses.

1. Select services – Select a tenant and select services for which you want to create app profiles. Click Next.
   Note: Before you create an app profile, you must ensure that the tenant has been connected to IBM® Storage Protect for Cloud. For more details on connecting tenants, refer to Connect your Tenants to IBM Storage Protect for Cloud .
2. Choose setup method – Refer to the information below, and select a mode based on your scenario:
   • Modern mode is the recommended mode for all IBM Storage Protect for Cloud default apps. In this mode, the related apps are listed in a service-based view, and you can consent to apps separately for the selected services.
     Note the following:

     • For Google tenants, using a default service app may encounter throttling issues caused by Google quota limits. If performance is a concern, consider configuring a custom Google app for your organization. Then, choose the Custom mode to configure an app profile for the custom Google app.
     • In Auto discovery, scan profiles will run jobs and randomly use app profiles which have the required permissions to scan objects. For specific functionalities in services, only the related service apps have the required permissions to support. For additional details on the permissions of service apps, see Apps for Individual Service.
   • Classic mode includes the method of consenting to one app which can be used by multiple services. This mode will not be displayed if it is not supported by the selected services.
     If you select this mode, note the following:

     • In the Application list, you can consent to the following apps which can be used by multiple services: Microsoft 365 (All permissions), Microsoft Entra ID, and Viva Engage.
       The table below lists the services supported by the apps in the classic mode Application list:

       Apps	Supported services	Consent method
       Microsoft 365 (All permissions)	IBM Storage Protect for Cloud Microsoft 365	Consent to one app to be used by multiple services.
       Viva Engage	IBM Storage Protect for Cloud Microsoft 365
       Delegated App Note: If IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID is the only service that you select to use, the Classic mode is not available.	IBM Storage Protect for Cloud Microsoft 365 IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID	Consent to the app separately for each service.

     • In the Service app list, you can also separately consent to the apps used by specific services.
   • Custom mode is recommended for organizations who have identified use cases with extremely limited required permissions.

     Before you create an app profile for a custom app, refer to Create Custom Apps to create custom apps which meet the requirements of your services. When you create an app profile for a custom app, refer to Consent to Custom Apps to consent to the custom app.

     Note the following:

     • For Google tenants, it is recommended that you use custom Google apps to avoid the throttling issue caused by the quota limit. Refer to Create a Custom Google App for more information about custom Google apps.
     • If you want to make sure the custom apps in Azure can only be used by the IBM Storage Protect for Cloud production environments, you can Configure a Best Practice Conditional Access Policy for Custom Apps in Azure.
3. Consent to apps – To consent to an app, click Consent next to the app, and refer to the information below to continue with the consent:
   • For a Microsoft 365 tenant, creating app profiles for IBM apps in a Microsoft tenant’s environment requires a Microsoft 365 Global Administrator or a Privileged Role Administrator account who is in the same tenant. For more details on this requirements, see the Why is Admin Consent is Required to Use the IBM Storage Protect for Cloud App?section.
     • The Engage Administrator, which is the Yammer Administrator in Microsoft Entra ID, can also consent to the IBM Storage Protect for Cloud apps for Viva Engage.
     • If multi-factor authentication (MFA) is enabled on a Microsoft 365 account, this account can still be used to consent to app profiles. For apps with delegated permissions, the related app profiles need to be re-authorized if MFA is enabled on the consent users’ Microsoft 365 accounts after they have given consent to the app profiles.
     • When creating an app profile for a delegated app used by the IBM Storage Protect for Cloud Microsoft 365 service, you also need to choose the functions that will use this app.
     • When creating an app profile for the IBM Storage Protect for Cloud Microsoft 365 service, note the following:
       • When consenting to the Cloud Backup for Microsoft 365 delegated app, you also need to choose the functions that will use this app. The user who consents to the app must have the Microsoft 365 Global Administrator role. For details, refer to the Required Permissions of Microsoft Delegated App section in the IBM Storage Protect for Cloud Microsoft 365 user guide.
       • When consenting to a Viva Engage app profile used by IBM Storage Protect for Cloud Microsoft 365, the consent user must be a Microsoft 365 Global Administrator with the Viva Engage product license.
   • To create an app profile for a custom app in a Microsoft/Google tenant, refer to the Consent to Custom Appssection for additional details.
   • For a Google tenant, creating an app profile for the app used by the IBM Storage Protect for Cloud Google Workspace service requires the consent of a Super Admin account.
     Note: For the app used by IBM Storage Protect for Cloud Google Workspace, ensure that the Super Admin account has been assigned with the required licenses:

     • The Google Workspace module requires licenses for the Gmail, Calendar, Contacts, Drive, and Chat services. The following additional licenses are only needed for managing specific services: Shared drive for shared drives and Vault for Vault matters.
     • The Google Classroom module requires licenses for the Classroom service.
   • For a Salesforce tenant, creating an app profile for the app used by IBM Storage Protect for Cloud Salesforce requires consent of a Salesforce account with the System Administrator profile or another profile with the same permissions.

   When you finish creating app profiles, you can click Finish to exit the Create app profile wizard.

   Note: According to Microsoft’s non-interactive user sign-ins, the sign-in logs show the original IP used for the original token issuance, as the IP address of non-interactive sign-ins performed by confidential clients (IBM Storage Protect for Cloud) doesn’t match the actual original IP of the event when a Microsoft user signed in and consented to an app. If you create an app with delegated permissions, you must add the original IP address to your Microsoft tenant’s conditional access policies (if any). Otherwise, the apps with delegated permissions will be Invalid. After you add the original IP address to your conditional access policies, you can manually re-authorize the app profile to update its status or wait for IBM Storage Protect for Cloud to automatically update its status.
4. After you create app profiles for the following apps, you need to go to Microsoft Entra admin center (or Microsoft Azure portal) to assign roles to the apps:
   • If an app will be used to manage Exchange mailboxes and settings / Security and distribution group objects / Microsoft Defender settings, you need to assign the Exchange Administrator role to the app. For additional details on assigning the role, refer to How to Assign the Exchange Administrator Role to an App?

   Note: You do not need any permissions or Microsoft licenses other than those listed in this guide.