SaaS

Overview

Requirement Learn More
A user with needed Entra & Azure permissions. Learn More
Deploy and configure Azure Migrate Project and Appliance. Learn More
Create a Service Principal with a client secret. Learn More
Assign necessary roles to the Service Principal. Learn More

Before a Dr Migrate SaaS instance is synced with Azure Migrate, verify the below prerequisites to ensure a smooth deployment.

Permissions Required

Ideally the user performing the following steps should have the Global Administrator role.

If this is not possible, the least privileged approach to deployment requires the following permissions:

  • Application Admin
  • Subscription Owner

More information about least privileged role assignment please see the Microsoft Learn Portal

Azure Configuration

Deploy Azure Migrate

Dr Migrate leverages the data collection capability of Azure Migrate. Ensure that you have:

  1. Deployed an Azure Migrate Project.
  2. Deployed an Azure Migrate Appliance.
  3. Connected the Azure Migrate Project and Appliance.
  4. Provided all necessary permissions to collect data.

Microsoft has robust and detailed guides on how to deploy and configure Azure Migrate here.

Review Azure Migrate Project Connectivity Method

ℹ️
Dr Migrate SaaS only supports Public Endpoint deployments of Azure Migrate. To use a Private endpoint deployment, consider using Marketplace.

Create Service Principal

Dr Migrate requires a Service Principal be created to allow the Dr Migrate server to communicate with Azure Migrate.

When creating the SPN please observe the following:

  • SPN Name - It is recommended to name the App Registration “drmigrate-spn”. All other settings can be left as default
  • Client Secret Creation - Dr Migrate requires a client secret to be created, it is recommended to set the expiry to 12 months.
ℹ️
Securely store the Client Secret value, as it is only viewable on creation and will be needed during the data sync step.

For Microsoft documentation on creating a Service Principal in Entra ID, see here

Configure Access

Best practice is to set up the Azure Migrate in a dedicated Resource Group and/or Subscription. This is not a requirement but provides a clear RBAC boundary and reduces Azure Policy conflicts.
ℹ️
Dr Migrate will ingest all Azure Migrate Projects located within the resource group the SPN has permissions to. If you do not wish to have a project ingested, ensure that the Azure Migrate project has been created in a dedicated resource group.

Assign your Service Principal, the following permissions:

Role Scope Requirement
Contributor Subscription or Resource Group where Dr Migrate and Azure Migrate will be located Mandatory
Cost Management Reader Subscription where Azure Migrate is deployed. Optional
ℹ️
If you have an Enterprise Agreement with Microsoft, and would like Dr Migrate to apply your agreed discount when providing TCO costings, the Cost Management Reader role is required

Learn More about how to assign RBAC roles here

You can now proceed to sync your data with your SaaS Instance.