Creating an Azure Service Principal for the HubStor Backup Service

Creating an Azure Service Principal for the HubStor Backup Service

This article details how to register and permission a service principal, and gather the information needed to create an Azure connection in the HubStor Backup Service.

Register an application with Azure AD and create a service principal

  1. Sign into the Azure Portal with an account with permission to register an application and assign application roles
  2. Select "Azure Active Directory"
  3. Select "App Registrations"
  4. Select "New registration"
  5. Specify a name for the application, such as "HubStor Backup App"
  6. For "Supported account types", select "Accounts in this organization directory only"
  7. Select "Register"
  8. On the "Overview" page, take note of the following IDs:
    1. Application (client) ID
    2. Directory (tenant) ID

Assign permissions to the service principal

  1. For the newly created app, select "API Permissions"
  2. The permission "Microsoft Graph, User.Read" should already be listed
  3. Select "Add a permission"
  4. Select "Azure Service Management" and select the permission "user_impersonation"
  5. Select "Add permissions"
  6. Select "Grant admin consent" and confirm.

Create a new application secret

  1. While still in the newly created app, select "Certificates & secrets"
  2. Select "New client secret"
  3. Add a description, such as "HubStor Backup App secret"
  4. Select "Never" expires
  5. Make note of the "Value" of the secret

Assign roles to the application

It is possible to assign roles to a wider scope, but the following steps are for resource groups.
  1. For each resource group containing virtual machines and disk you wish to back up, select "Access control (IAM)"
  2. Select "Role assignments"
  3. Select "Add" and "Add role assignment"
  4. Select the "Contributor" role
  5. Select the newly created app
  6. Select "Save"
Note: Premium storage accounts will require the "Owner" role instead of "Contributor"
Repeat the above steps to add the role "Storage Account Contributor" and "Storage Blob Data Contributor".
The HubStor Backup service will pick up the new permissions after 15 minutes. Restart the HubStor Backup service if you would like the permissions to take effect immediately.

    • Related Articles

    • Backup Sources for the HubStor Backup Service

      The HubStor Backup Service currently supports VMware and Hyper-V platforms. Azure VM backups will be supported in upcoming versions. Add Backup Source Wizard Launch the backup source wizard by right clicking the "All Content" node and selecting "Add ...
    • Overview of the HubStor Connector Service (HCS)

      The HCS is software that is deployed behind your firewall to provide policy-based archiving to your HubStor cloud tenant. The HCS runs on a Windows VM, uses a service account, and can be installed and configured in minutes. With the HCS installed, ...
    • Backup Policies for the HubStor Backup Service

      Backup policies allow you to define a backup schedule, control backup destinations, and retention, as well as other options. You can assign backup policies to VMs or folders to control the backup of those entities. You can assign backup policies ...
    • How to Install and Configure the HubStor Connector Service (HCS)

      If you have access to the HubStor Admin Portal, you can download the HubStor Connector Service installer by going to 'Administration' and then 'Tools & Utilities'. Step 1 -- Run the Installer Open the HCS installer file ...
    • How to Configure Authorization for the Export Service's HubStor Account

      The account used in HubStor to connect the Export Service with your HubStor tenant must have 'API' and 'Access all items' authorization. NOTE: To configure the API permission, you will need access to the HubStor Admin Portal with authorization to ...