5 2 0:Azure VM Configuration
![]() |
Are you looking for an alternative for your VMware environment?
SEP supports a range of hypervisors, offering snapshot-based online backup of VMs. Click HERE to get an overview of the available SEP modules and explore supported features like CBT, Single File Restore, and more. |
Overview
Using SEP sesam for Azure VM backups helps reduce operational complexity and cloud costs while ensuring robust data protection. It provides a consistent backup strategy for complex environments that involve diverse platforms and solutions.
SEP sesam provides reliable backup and restore capabilities for Azure Virtual Machines (VMs), flexible storage options using local or cloud-based storage, and offers advanced threat protection through Si3 deduplication store. By utilizing Azure snapshot technology to capture application-consistent snapshots of VM disks, SEP sesam creates point-in-time backups of VMs, including the operating system, system state, and all attached disks, without requiring downtime.
Additionally, SEP sesam’s monitoring and reporting capabilities provide valuable insights into backup status and overall system performance, enabling efficient backup management and troubleshooting.
Prerequisites
- Check SEP sesam OS and Database Support Matrix for the list of supported OS versions.
- Azure VM license, see Licensing.
- SEP sesam Server v. 5.2.0 Artemis and a SEP sesam data mover. Except for the Azure client itself, any SEP sesam Client, RDS or Server can be used as a data mover for Azure VM backups.
- Note that only the COPY level is supported, providing a complete backup of the VM.
Configuring Azure VM environment for backup with SEP sesam
In Azure VM environments, Virtual Machines (VMs) are organized in a Resource Group under a Subscription. When the Azure VM environment is configured for backup with SEP sesam, the SEP sesam integration with Azure VM automatically creates a storage account and a blob container. When the backup is started, SEP sesam accesses the VMs to initiate the creation of snapshots that are temporarily stored in the Azure blob storage container. The snapshots are then backed up to the selected SEP sesam storage, either local or cloud-based. Once the backup is successfully completed, SEP sesam deletes the temporary snapshots from the blob storage to optimize storage efficiency and reduce costs.
To prepare and configure your Azure VM environment for backup with SEP sesam, you need to perform the following steps:
- Create Azure identity for SEP sesam.
- Register Azure subscription to use the Azure namespace.
- Enable access to Azure blob storage for SEP sesam.
Create Azure application identity for SEP sesam
To enable SEP sesam to access the Azure VM resources, you need to create the Service Principal identity. This is an application identity that allows automated task execution in Azure without the need to use a user's personal credentials.
- Start the Azure command-line (AZ CLI) and log in with the Administrator account. If you are not using the Global Administrator, make sure the user is at least a Privileged Role Administrator on subscription level. Note that if the user's permissions have been modified after login, you must log out and log in again in the Azure CLI.
- Create a new service principal and a role-based access control (RBAC) identity in Azure AD for SEP sesam with the following command:
az ad sp create-for-rbac --name <identity> --role Contributor --scopes <resource scope>
- The "Contributor" role allows managing resources in the specified scope, and does not allow managing access to the resources.
- The <resource scope> defines your Azure subscription and the specific resource group in the format /subscriptions/<subscription ID>/resourceGroups/<resource group name>
For example:
az ad sp create-for-rbac --name SEPsesamBackupServicePrincipal --role Contributor --scopes /subscriptions/w31c0m3-70-7h3-r341-w0r1d/resourceGroups/SEPsesamAzureVM
- The output of this command includes credentials that must be saved securely for use in SEP sesam when adding the Azure VM as a client to the SEP sesam environment.
Example output:
{ "appId": "4m3r160-1497-73rr4n0v4-M4g3l14n", "displayName": "SEPsesamBackupServicePrincipal", "password": "M9-n4m3~15_n30", "tenant": "54n7aM4r14-12oct-1492-242-20m1506a54" }
Register Azure subscription to use the Azure namespace
By default, your Azure subscription is not registered to use the Azure namespaces and must be registered manually:
- Select the subscription you want to register with the following command:
az account set --subscription "<subscription ID>"
For example:
az account set --subscription "w31c0m3-70-7h3-r341-w0r1d"
- Register your subscription to use the Microsoft.Compute namespace with the following command:
az provider register --namespace Microsoft.Compute --subscription "<subscription ID>"
For example:
az provider register --namespace Microsoft.Compute --subscription "w31c0m3-70-7h3-r341-w0r1d"
- Register your subscription to use the Microsoft.Network namespace with the following command:
az provider register --namespace Microsoft.Network --subscription "<subscription ID>"
For example:
az provider register --namespace Microsoft.Network --subscription "w31c0m3-70-7h3-r341-w0r1d"
You can check the status of the registration for a namespace with the following command:
az provider show --namespace Microsoft.Compute --query "registrationState" az provider show --namespace Microsoft.Network --query "registrationState"
If the subscription is successfully registered, the output for each command is "Registered".
Enable access to Azure blob storage for SEP sesam
To enable SEP sesam access to the Azure blob containers in a storage account, you need to assign the Storage Blob Data Contributor role to the SEP sesam service principal identity. For this, you must first obtain the service principal object ID.
- Use the following command to get the service principal object ID:
az ad sp list --display-name <identity>
For example:
az ad sp list --display-name SEPsesamBackupServicePrincipal
The object ID is listed in the output as "id", for example: "id": "h0w-y0u347-s0u9-1nm47r1x" - Assign the role Storage Blob Data Contributor to the SEP sesam service principal identity with the following command:
az role assignment create --assignee-object-id <object ID> --role "Storage Blob Data Contributor" --scope <resource scope>
For example:
az role assignment create --assignee-object-id h0w-y0u347-s0u9-1nm47r1x --role "Storage Blob Data Contributor" --scope /subscriptions/w31c0m3-70-7h3-r341-w0r1d/resourceGroups/SEPsesamAzureVM
What's next?
External resources
Azure Command-Line Interface (CLI) documentation
See also
Azure VM Backup – Azure VM Restore – Virtualization