Skip to main content

Articles in this section

See more
Print

Cloud Services

  • Updated

Cloud Services

This article describes how to add Microsoft Azure and AWS cloud service accounts in Cayosoft Guardian for use with Forest Recovery and Recovery Sites. These accounts enable Cayosoft Guardian to deploy virtual machines, storage, and networking resources during a recovery operation.

Add an AWS account

Prerequisites

Before you add an AWS account, make sure the following requirements are met:

  • An AWS IAM user with programmatic access enabled.

  • The Access key ID and Secret access key for that IAM user.

  • Sufficient IAM permissions for EC2, VPC, networking, and IAM role creation as required by your Cayosoft Guardian deployment.

  • If the same AWS account will also be used for S3-based backup storage in Cayosoft Guardian, the IAM user must additionally have permissions for S3, including bucket and object operations. Learn more: Permissions for Forest Recovery in Cayosoft Guardian.

 

Steps

  1. In the left navigation menu, go to Forest Recovery > Cloud Services.

  2. Click Add > AWS account to open the wizard.

  3. On the General page, enter the IAM user credentials in the Access key ID and Secret access key fields.

  4. Click Next to review the configuration on the Finish page, and then click Close.

After you close the wizard, the AWS account appears in Cloud Services and can be selected when you configure Recovery Sites for Forest Recovery.

Add a Microsoft Azure subscription

Cayosoft Guardian uses a Microsoft Entra application and a certificate credential to access the Azure subscription where recovery resources are provisioned. You can either let Guardian create the application for you, or register an existing application that you (or your Entra administrator) created in advance.

Choose one of the following paths and verify its prerequisites before starting the wizard:

Path A — Create a new application (Guardian creates the Entra application)

  • You can sign in with a Microsoft Entra ID account that has permission to create app registrations and grant the required API permissions in the tenant (typically a Global Administrator or equivalent privileged role).
  • The signed-in account has access to the target Azure subscription with the Contributor role (or Contributor on the resource group when you plan to use a pre-created resource group). See: Permissions for Forest Recovery in Cayosoft Guardian.

 

Path B — Use an existing application (customer-provided service principal)

Use this path when you cannot grant Global Administrator privileges to Guardian or you prefer to manage the Entra application and its credentials yourself.

  • A single-tenant Microsoft Entra application and corresponding service principal are already registered in your tenant.
  • The service principal has the Contributor role (or Contributor on the resource group used for recovery) on the target Azure subscription, and any additional roles required for backup storage (for example, Storage Blob Data Contributor). See: Permissions for Forest Recovery in Cayosoft Guardian.
  • You have a certificate file that includes the private key (.pfx or .p12) configured as a credential on the application, and (if applicable) the certificate password.
  • You have the Subscription ID, Application ID (client ID), and Tenant ID for the registration.

ADD A SCREENSHOT

Steps

  1. In the left navigation menu, go to Forest Recovery > Cloud Services.
  2. Click Add > Azure subscription to open the Add Azure subscription wizard.
  3. On the Select application option page, choose how to register the Azure subscription:
    • Create a new application — Guardian creates the required Microsoft Entra application automatically.
    • Use an existing application — register the Azure subscription with an existing Microsoft Entra application and certificate. Click Next.
  4. Provide application and certificate information:
    • If you selected Create a new application, sign in when prompted and enter a name for the Entra application Guardian will create.
    • If you selected Use an existing application, on the Application and certificate details page enter the Subscription ID, Application ID, and Tenant ID, then click Upload certificate and select a certificate file that includes the private key (.pfx or .p12). If the certificate is password-protected, enter the password in Certificate password. Click Next.
  5. On the Select Azure resource subscription page, open the subscription list and choose the Azure subscription that Cayosoft Guardian will use for recovery resources (for example, Production or Microsoft Azure Sponsorship). Click Next. NOTE: If an authorization error appears indicating that the account or service principal cannot perform Microsoft.Authorization/roleAssignments/write, review the Azure RBAC permissions assigned to the application or sign-in account, correct them as needed, and repeat the step.
    ADD A SCREENSHOT
  6. On the Manage subscription page, review the subscription details and complete the configuration. Click Close.

After you close the wizard, the subscription appears in Cloud Services and is available for use when configuring Recovery Sites. The final wizard step list is: Select application option > Enter application and certificate details > Select Azure resource subscription > Manage subscription.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.