Required Azure AD permissions for Commvault Metallic

How to downsize Metallic required permissions from Azure AD side

Commvault Metallic is used to backup 365 enviornment, including mailbox, onedrive and sharepoiont.

Recently I’ve recieved a request to downsize the permission for our service account user from Exchange Administrator to something more fine grained.

I didn’t find a proper documentation, leading to this article. This is how I pulled it off:

1. Install PowerShell 7.0
2. Add Exchange online module:

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.1.0 

3. Authenticate using your Azure AD (with sufficient configuration permissions), not the service account you want to down size it’s permissions:

Connect-ExchangeOnline -UserPrincipalName username@domain.com

4. Create an impersonation role and assign permission for the service account you’re using to backup the mailboxes/onedrive/sharepoint:

New-RoleGroup -Name "Commvault Metallic ApplicationImpersonation" -Roles "ApplicationImpersonation" -Members "service_account@domain.com"

5. Verify the role was registered correctly:

Get-RoleGroup "Commvault Metallic ApplicationImpersonation"
Get-ManagementRoleAssignment -RoleAssignee "service_account@domain.com" -Role "ApplicationImpersonation"

6. Login to Azure’s portal > browse to Azure Active Directory > Roles and administrators > Exchange Administrator > remove the service account.

Repeat the same for Teams Administrator to the said service account.

7. Still in Azure’s portal, browse to app registrations and search for the app registration of metallic. In my case, we named it Commvault Metallic. Under API permissions, add the following permissions:

8. Last verification is to verify on Metallic’s side that the backup continues as before.