5 2 0:Azure VM Configuration

From SEPsesam


Welcome to the latest SEP sesam documentation version 5.2.0 Artemis. For previous documentation version(s), check documentation archive.


Virtualization Are you looking for an alternative for your VMware environment?

SEP supports a range of hypervisors, offering snapshot-based online backup of VMs.

Click HERE to get an overview of the available SEP modules and explore supported features like CBT, Single File Restore, and more.

Overview


Using SEP sesam for Azure VM backups helps reduce operational complexity and cloud costs while ensuring robust data protection. It provides a consistent backup strategy for complex environments that involve diverse platforms and solutions.

SEP sesam provides reliable backup and restore capabilities for Azure Virtual Machines (VMs), flexible storage options using local or cloud-based storage, and offers advanced threat protection through Si3 deduplication store. By utilizing Azure snapshot technology to capture application-consistent snapshots of VM disks, SEP sesam creates point-in-time backups of VMs, including the operating system, system state, and all attached disks, without requiring downtime.

Additionally, SEP sesam’s monitoring and reporting capabilities provide valuable insights into backup status and overall system performance, enabling efficient backup management and troubleshooting.

Prerequisites

Configuring Azure VM environment for backup with SEP sesam

In Azure VM environments, Virtual Machines (VMs) are organized in a Resource Group under a Subscription. When the Azure VM environment is configured for backup with SEP sesam, the SEP sesam integration with Azure VM automatically creates a storage account and a blob container. When the backup is started, SEP sesam accesses the VMs to initiate the creation of snapshots that are temporarily stored in the Azure blob storage container. The snapshots are then backed up to the selected SEP sesam storage, either local or cloud-based. Once the backup is successfully completed, SEP sesam deletes the temporary snapshots from the blob storage to optimize storage efficiency and reduce costs.

To prepare and configure your Azure VM environment for backup with SEP sesam, you need to perform the following steps:

  1. Create Azure application identity for SEP sesam.
  2. Enable access to Azure resources for SEP sesam.
  3. Register Azure subscription to use the Azure namespaces.

Create Azure application identity for SEP sesam

To enable SEP sesam to access the Azure VM resources, you need to create the Service Principal identity. This is an application identity that allows automated task execution in Azure without the need to use a user's personal credentials.

  1. Log in to Microsoft Azure portal (https://portal.azure.com/) and start the Azure CloudShell (AZ CLI).
  2. Create an application identity in Azure Active Directory with the following command:
    az ad app create --display-name <app display name> --query appId -o tsv

    Expected output: <app ID>

    For example:

    sepsesam [ ~ ]$ az ad app create --display-name AppRegSEPsesamAzBackup --query appId -o tsv
    
    4m3r160-1497-73rr4n0v4-M4g3l14n
  3. Create a new service principal identity in Azure AD for SEP sesam with the following command:
    az ad sp create --id <app ID> --query id -o tsv

    Expected output: <service principal ID>

    For example:

    sepsesam [ ~ ]$ az ad sp create --id 4m3r160-1497-73rr4n0v4-M4g3l14n --query id -o tsv
    
    1e71db65-9d37-4a89-8326-5b62c9e3b0fa
  4. Create a client secret, valid for a set number of years, and generate a password with the following command:
    az ad app credential reset --id <app ID> --years <number> --display-name "<secret display name>"

    The expected output of this command includes credentials that must be saved securely for use in SEP sesam when adding the Azure VM as a client to the SEP sesam environment.

    For example:

    sepsesam [ ~ ]$ az ad app credential reset --id 4m3r160-1497-73rr4n0v4-M4g3l14n --years 10 --display-name "secret-10years"
    
    {
      "appId": "4m3r160-1497-73rr4n0v4-M4g3l14n",
      "password": "M9-n4m3~15_n30",
      "tenant": "54n7aM4r14-12oct-1492-242-20m1506a54"
    }

Enable access to Azure resources for SEP sesam

To enable SEP sesam access to the Azure resources and blob containers in a storage account, you need to assign the required roles to your Azure subscription:

  • The Contributor role allows managing resources in the specified scope, and does not allow managing access to the resources.
  • The Storage Blob Data Contributor role enables SEP sesam access to the Azure blob containers in a storage account.


  1. Use the following command to list the accounts:
    az account list --output table

    For example:

    sepsesam [ ~ ]$ az account list --output table
    
    Name                CloudName    SubscriptionId             TenantId                              State    IsDefault
    ------------------  -----------  -------------------------  ------------------------------------  -------  ---------
    Azure subscription  AzureCloud   w31c0m3-70-7h3-r341-w0r1d  54n7aM4r14-12oct-1492-242-20m1506a54  Enabled  True
  2. Assign the roles Contributor and Storage Blob Data Contributor to your Azure subscription separately with the following commands:
    az role assignment create --assignee <app ID> --role "Contributor" --scope <resource scope>
    az role assignment create --assignee <app ID> --role "Storage Blob Data Contributor" --scope <resource scope>

    The <resource scope> defines your Azure subscription in the format /subscriptions/<subscription ID>.

    Expected output: <resource scope>

    Example command:

    sepsesam [ ~ ]$ az role assignment create --assignee 4m3r160-1497-73rr4n0v4-M4g3l14n --role "Contributor" --scope /subscriptions/7w31c0m3-70-7h3-r341-w0r1d --query "scope" -o tsv
    
    /subscriptions/w31c0m3-70-7h3-r341-w0r1d

    Example command:

    sepsesam [ ~ ]$ az role assignment create --assignee 4m3r160-1497-73rr4n0v4-M4g3l14n --role "Storage Blob Data Contributor" --scope /subscriptions/7w31c0m3-70-7h3-r341-w0r1d --query "scope" -o tsv
    
    /subscriptions/w31c0m3-70-7h3-r341-w0r1d
Note
You can restrict role assignment to a specific resource group by setting the appropriate scope. However, ensure that all relevant resource groups are included. For example, a virtual network (VNet) might reside in a different group (e.g., wm). To avoid missing permissions, it’s essential to identify and account for all related dependencies. If multiple resource groups are involved, you must assign roles to each one individually.

In such cases, the <resource scope> would be defined as:

--scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>

Register Azure subscription to use the Azure namespaces

By default, your Azure subscription is not registered to use the Azure namespaces and must be registered manually. You need to register to the following namespaces:

  • Microsoft.Compute
  • Microsoft.Network
  • Microsoft.Storage
  • Microsoft.ContainerRegistry
  • Microsoft.ContainerInstance


  1. Register your subscription to use the Azure namespaces separately with the following command:
    az provider register --namespace <Azure namespace> --subscription "<subscription ID>"

    For example:

    sepsesam [ ~ ]$ az provider register --namespace Microsoft.Compute --subscription "w31c0m3-70-7h3-r341-w0r1d"
    sepsesam [ ~ ]$ az provider register --namespace Microsoft.Network --subscription "w31c0m3-70-7h3-r341-w0r1d"
    sepsesam [ ~ ]$ az provider register --namespace Microsoft.Storage --subscription "w31c0m3-70-7h3-r341-w0r1d"
    sepsesam [ ~ ]$ az provider register --namespace Microsoft.ContainerRegistry --subscription "w31c0m3-70-7h3-r341-w0r1d"
    sepsesam [ ~ ]$ az provider register --namespace Microsoft.ContainerInstance --subscription "w31c0m3-70-7h3-r341-w0r1d"
  2. Check the status of the registration for a namespace with the following command:
    az provider show --namespace <Azure namespace> --subscription "<subscription ID>" --query "registrationState"

    For example:

    sepsesam [ ~ ]$ az provider show --namespace Microsoft.Compute --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
    sepsesam [ ~ ]$ az provider show --namespace Microsoft.Network --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
    sepsesam [ ~ ]$ az provider show --namespace Microsoft.Storage --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
    sepsesam [ ~ ]$ az provider show --namespace Microsoft.ContainerRegistry --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
    sepsesam [ ~ ]$ az provider show --namespace Microsoft.ContainerInstance --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
    If the subscription is successfully registered, the output for each namespace is "Registered".

What's next?

Azure VM Backup

External resources

Azure Command-Line Interface (CLI) documentation


See also

Azure VM BackupAzure VM RestoreVirtualization

Copyright © SEP GmbH (formerly SEP AG) 1999-2025. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP GmbH. When compiling and designing user documentation SEP GmbH uses great diligence and attempts to deliver accurate and correct information. However, SEP GmbH cannot issue a guarantee for the contents of this manual.