#Enable Microsoft Azure Replication

To enable Microsoft Azure replication, complete the following steps:

1. Go to Management > App management > App profile managementtab in the AvePoint Online Services interface to create an app profile. For details, refer to Create an App Profile and Grant Consent.

   NOTE

   • If the authentication and authorization of the cluster is Microsoft Entra ID authentication with Kubernetes RBAC, the app must be added to the group with admin access within the cluster.
   • If the authentication and authorization of the cluster is Microsoft Entra ID authentication with Azure RBAC, the app must have the Azure Kubernetes Service RBAC Cluster Admin role assigned.

2. Add this app to all the subscriptions where the Kubernetes Services, SQL databases, storage accounts, and VMs to protect are running and grant this app the Contributor role. For details, refer to Add to Subscription and Grant Contributor Role. This guide will only introduce the steps of adding a role to a subscription through the Microsoft Azure Portal.

   NOTE

   • The user to add the app to the subscription and grant it the Contributor role must be the subscription owner or the User access administrator of your tenant, and if your tenant has new subscriptions to protect after the initialization, you must follow the same steps to add this app as Contributor as well.
   • To protect encrypted MySQL flexible servers, PostgreSQL flexible servers, Virtual machines, and Virtual machine scale sets, the app needs to have the Key Vault Crypto User role granted.

3. If you have set the authorized IP range in Azure Kubernetes Services (AKS), to ensure the protection of Kubernetes Service resources, add reserved IP address of Cloud Backup for IaaS + PaaS to the range. For more details on authorized IP range, refer to this Microsoft page. For details on downloading the reserved IP address, refer to Download a List of Reserved IP Address.

4. After you have completed all the settings above, go to Replication and create replication policies. After defining the protection scope and replication schedule in a policy, you can test or run actual failover jobs when required. Note that you can click the Refresh button in the upper-right corner of the service page to retrieve the latest status for the data to protect.

   For details on creating a replication policy and operating failover, refer to Replication (Private Preview).

#Create an App Profile and Grant Consent

To enable replication for Microsoft Azure services and resources, you must create an app to connect to your tenant and grant consent for the permissions that this app requests.

Creating an app profile requires a Microsoft 365 Global Administrator account to consent.

Follow the steps below to create the app:

1. On the Management > App management page, click Create on the action bar.

2. In the Select services step, select Cloud Backup for IaaS + PaaS.

   

3. In the Choose setup method step, select Modern mode if you want to consent a delegated app directly. You can also select Custom mode if you want to manually create and maintain a custom app with delegated permissions in your tenant. For details on creating a custom app with delegated permissions for Cloud Backup for IaaS + PaaS, refer to Create a Custom Azure App.

4. Click Next.

5. In the Consent to apps step for a Microsoft tenant, click Consent next to the Cloud Backup for Azure delegated app.

   

6. On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account.

7. On the Permissions required page, review the permissions required and click Accept to continue. This delegated app must have the following Microsoft Azure API permissions:

   • Access Azure Service Management as you (Preview) - Allows the application to access Azure Service Management as you.

   • View your basic profile - Allows the app to see your basic profile (name, picture, username)

   • Maintain access to data you have given it access to - Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions. For example, for Cloud Backup for IaaS + PaaS, you also need to add this app to the subscription where the VMs you want to protect are running as Contributor. The Contributor role in subscription allows the app to access and manage resources. This permission allows Cloud Backup for IaaS + PaaS to access and manage the resources via this app.

8. The app profile you created will be displayed on the App management page, and the AvePoint Online Services - Delegated App will be added to your Azure enterprise applications.

#Add to Subscription and Grant Roles

After finishing the app profile creation in AvePoint Online Services, go to the Azure portal > Subscriptions. Follow the steps below to add the AvePoint Online Services - Delegated App to each subscription where the VMs, databases, storage accounts, and Kubernetes clusters you want to protect belong to.

1. On the Subscriptions page, find the list of subscriptions. You can filter the subscriptions in the list or search for subscriptions via keywords.

2. Click a subscription.

3. Click Access control (IAM) on the left pane.

   

4. On the Access control (IAM) page, click Add on the action bar and select Add role assignment from the drop-down list.

5. In the Add role assignment pane, go to the Privileged administrator roles tab, click Contributor or Key Vault Crypto User from the Role tab, and then click Next.

6. In the Members list, find the Members field, and click Select members.

7. In the Select members pane, enter a keyword in the Select box to search for the AvePoint Online Services - Delegated App or the custom app that you created with delegated permissions. Click the app to add it to the Selected members field and click the Select button.

   

8. Click the Review + assign button to review the role assignment and click this button again to add this app as Contributor for your subscription.