TenuVault
Skip to main content
30 min read

TenuVault Onboarding Guide

This comprehensive guide walks you through setting up TenuVault Cloud Portal with YOUR Azure resources for enterprise-grade Intune backup management. TenuVault Portal is a secure SaaS solution that orchestrates backups while keeping all your data in YOUR Azure tenant. By the end of this guide, you'll have a fully functional backup system protecting your Intune configurations with complete data sovereignty.

Architecture Overview

How TenuVault Works:

  • TenuVault Portal: Secure SaaS solution (portal.tenuvault.com) - no infrastructure for you to manage
  • Your Storage Account: All backup data stored in YOUR Azure Storage Account
  • Your Automation Account: Backup jobs run in YOUR Azure Automation Account
  • Your App Registration: Authentication using YOUR Azure AD App Registration
  • Complete Data Sovereignty: No data ever leaves your Azure environment

    Table of Contents

  • Pre-Deployment Checklist
  • Step 1: Create Azure AD App Registration
  • Step 2: Deploy Azure Resources
  • Step 3: Configure Storage Account
  • Step 4: Setup Automation Account
  • Step 5: Grant Required Permissions
  • Step 6: Access the Portal
  • Step 7: Add Your First Tenant
  • Step 8: Configure Backup Schedule
  • Step 9: Verify Setup
  • Post-Deployment Tasks

    Pre-Deployment Checklist

    Before starting deployment, ensure you have:

    Required Access

  • [ ] Azure subscription with Owner or Contributor role
  • [ ] Azure AD Global Administrator or Application Administrator role
  • [ ] Microsoft Intune Service Administrator access
  • [ ] Permission to create resources in your Azure subscription

    Information to Gather

  • [ ] Azure subscription ID
  • [ ] Preferred Azure region for deployment
  • [ ] Resource naming convention for your organization
  • [ ] Backup frequency requirements
  • [ ] List of Intune tenants to backup (if multiple)

    Technical Requirements

  • [ ] Modern web browser (Chrome, Edge, Firefox, Safari)
  • [ ] Access to Azure Portal (portal.azure.com)
  • [ ] Access to Azure AD Portal (aad.portal.azure.com)
  • [ ] PowerShell 7.0+ (for manual configuration if needed)

    Budget Approval

  • [ ] Estimated monthly cost: $5-15 (varies by backup frequency and data volume)
  • [ ] Storage costs: ~$0.02 per GB per month
  • [ ] Automation costs: ~$0.002 per job execution

    Step 1: Create Azure AD App Registration

    The app registration allows TenuVault to authenticate and access your Intune data securely.

    1.1 Navigate to Azure AD

  1. 1Open Azure Portal
  2. 1Search for "Azure Active Directory" in the top search bar
  3. 1Click on Azure Active Directory from the results

    1.2 Create New App Registration

  4. 1In the left menu, click App registrations
  5. 1Click + New registration at the top
  6. 1Fill in the registration details:
- Name: Example: TenuVault-Backup-Service (you can choose any descriptive name) - Supported account types: Select "Accounts in this organizational directory only" - Redirect URI: Leave blank for now
  1. 1Click Register

    1.3 Record Important Information

After registration, you'll see the overview page. Record these values:
  • Application (client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Directory (tenant) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    > Important: Save these IDs in a secure location. You'll need them during portal configuration.

    1.4 Create Client Secret

  1. 1In the left menu, click Certificates & secrets
  2. 1Click + New client secret
  3. 1Add a description: Example: TenuVault-Portal-Secret (any descriptive name)
  4. 1Select expiration: 24 months (recommended)
  5. 1Click Add
  6. 1IMMEDIATELY copy the secret value - it won't be shown again!
- Secret Value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

> Security Note: Store this secret securely. Consider using Azure Key Vault for production deployments.

1.5 Configure API Permissions

  1. 1In the left menu, click API permissions
  2. 1Click + Add a permission
  3. 1Select Microsoft Graph
  4. 1Choose Application permissions
  5. 1Search and add these permissions:
- DeviceManagementApps.ReadWrite.All - DeviceManagementConfiguration.ReadWrite.All - DeviceManagementServiceConfig.ReadWrite.All

6. Click Add permissions

  1. 1Click Grant admin consent for [Your Organization]
  2. 1Confirm by clicking Yes

    > Note: Admin consent is required for these permissions to work. The status should show a green checkmark after granting consent.

    > Why ReadWrite Permissions?: While TenuVault primarily performs backup operations (read), the ReadWrite permissions are required for the restore functionality. This allows you to revert policies to previous versions when needed. TenuVault never modifies your configurations without explicit user action.

    Step 2: Deploy Azure Resources in YOUR Tenant

    Now we'll deploy the required Azure resources (Storage Account and Automation Account) in YOUR Azure subscription. These resources remain fully under your control.

    2.1 Access the Deployment Template

  3. 1Navigate to the TenuVault website
  4. 1Click the Deploy to Azure button
  5. 1You'll be redirected to the Azure Portal with the template loaded

    2.2 Configure Deployment Parameters

    Fill in the deployment parameters:

    Basics

  • Subscription: Select your Azure subscription
  • Resource group: Create new → Example: rg-tenuvault-prod (choose your own naming convention)
  • Region: Select your preferred region (e.g., East US)

    Azure Resource Configuration

  • Storage Account Name: Example: sttenuvault2024 (3-24 chars, lowercase, no spaces - choose your own unique name in YOUR subscription)
  • Automation Account Name: Example: aa-tenuvault-prod (customize as needed for YOUR environment)

    App Registration Details

  • Client ID: Paste the Application ID from Step 1.3
  • Client Secret: Paste the secret value from Step 1.4
  • Tenant ID: Paste the Directory ID from Step 1.3

    Networking

  • Enable Private Endpoints: No (for initial setup)
  • Allowed IP Ranges: Leave empty (configure later if needed)

    2.3 Review and Deploy

  1. 1Click Review + create
  2. 1Review all settings carefully
  3. 1Click Create
  4. 1Deployment will take 10-15 minutes

    > Tip: Click on "Deployment in progress" to monitor the deployment status and see which resources are being created.

    2.4 Deployment Outputs

Once complete, go to Outputs tab and note:
  • Storage Account Name: You'll need this for portal configuration
  • Automation Account Name: You'll need this for portal configuration
  • Resource Group Name: Where your resources are deployed

    Step 3: Configure Storage Account

    The storage account holds all your Intune backups. Let's configure it properly.

    3.1 Navigate to Storage Account

  1. 1In Azure Portal, search for your storage account name
  2. 1Click on the storage account from the results

    3.2 Create Containers

  3. 1In the left menu, click Containers
  4. 1Create the following containers:

    Container 1: intune-backups

  • Click + Container
  • Name: intune-backups
  • Public access level: Private
  • Click Create

    Container 2: tenant-metadata

  • Click + Container
  • Name: tenant-metadata
  • Public access level: Private
  • Click Create

    Container 3: drift-reports

  • Click + Container
  • Name: drift-reports
  • Public access level: Private
  • Click Create

    3.3 Configure Lifecycle Management

  1. 1In the left menu, click Lifecycle management
  2. 1Click + Add a rule
  3. 1Configure the rule:
- Rule name: backup-retention - Rule scope: Apply to all blobs - Blob type: Block blobs - Blob subtype: Base blobs

4. Add conditions: - If*: Base blobs were last modified more than *90 days ago - Then: Move to cool tier - If*: Base blobs were last modified more than *365 days ago - Then: Move to archive tier

5. Click Add

> Cost Optimization: Adjust retention periods based on your compliance requirements. Archive tier is very cheap but has retrieval delays.

3.4 Enable Versioning

  1. 1In the left menu, click Data protection
  2. 1Under Tracking, enable:
- Enable versioning for blobs - Keep all versions
  1. 1Click Save

    Step 4: Setup Automation Account

    The Automation Account runs scheduled PowerShell scripts to perform backups.

    4.1 Navigate to Automation Account

  2. 1Search for your Automation Account in Azure Portal
  3. 1Click on the automation account

    4.2 Import PowerShell Modules

  4. 1In the left menu, click Modules gallery
  5. 1Search and import these modules:
- Microsoft.Graph.Authentication (latest version) - Microsoft.Graph.DeviceManagement (latest version) - Microsoft.Graph.Identity.DirectoryManagement (latest version) - Az.Storage (latest version)

3. For each module: - Click on the module name - Click Import - Select Runtime version: 7.2 - Click Import - Wait for import to complete (shows "Available")

> Note: Module import can take 5-10 minutes per module. You can continue with other steps while modules import.

4.3 Create Runbook

  1. 1In the left menu, click Runbooks
  2. 1Click + Create a runbook
  3. 1Configure the runbook:
- Name: Backup-IntuneConfiguration - Runbook type: PowerShell - Runtime version: 7.2 - Description: Automated Intune configuration backup
  1. 1Click Create

    4.4 Edit Runbook Code

  2. 1Click on the created runbook
  3. 1Click Edit
  4. 1The TenuVault portal will automatically inject the runbook code
  5. 1Click Save
  6. 1Click Publish* → *Yes

    > Note: The runbook code is managed by the portal and will be automatically updated when you configure tenants.

    4.5 Configure Managed Identity

  7. 1In the left menu, click Identity
  8. 1Under System assigned*, toggle **Status** to *On
  9. 1Click Save
  10. 1Note the Object ID for permission assignment

    Step 5: Grant Required Permissions

    Now we need to grant the Automation Account access to storage and Graph API.

    5.1 Grant Storage Permissions

  11. 1Navigate to your Storage Account
  12. 1Click Access control (IAM)
  13. 1Click + Add* → *Add role assignment
  14. 1Select role: Storage Blob Data Contributor
  15. 1Click Next
  16. 1Assign access to: Managed identity
  17. 1Click + Select members
  18. 1Search for your Automation Account name
  19. 1Select it and click Select
  20. 1Click Review + assign

    5.2 Configure Graph API Permissions

This was completed in Step 1.5 when you granted admin consent.

Step 6: Access the TenuVault Cloud Portal

Time to access the TenuVault Cloud Portal and connect it to YOUR Azure resources!

6.1 Navigate to Portal

  1. 1Open your browser
  2. 1Navigate to: https://portal.tenuvault.com
  3. 1You'll be redirected to Azure AD login for authentication

    6.2 Sign In

  4. 1Enter your Azure AD credentials
  5. 1Accept any permission prompts
  6. 1Complete MFA if required

    6.3 Initial Setup Wizard

On first login, you'll see the setup wizard:

1. Welcome Screen*: Click *Get Started

  1. 1Verify Connections:
- Azure AD Authentication - Storage Account Access - Automation Account Connected - Automation Account Connected
  1. 1Configure Defaults:
- Default backup frequency: Daily - Default retention: 90 days - Email notifications: Enter your email
  1. 1Click Complete Setup

    Step 7: Add Your First Tenant

    Now let's add your Intune tenant for backup.

    7.1 Navigate to Tenants

  2. 1In the portal sidebar, click Tenants
  3. 1Click + Add Tenant

    7.2 Configure Tenant Details

Fill in the tenant information:

Basic Information

  • Tenant Name: Your organization name
  • Tenant ID: Your Azure AD tenant ID
  • Description: Optional description

    Authentication

  • Use Managed Identity: Yes (recommended)
  • Or provide separate credentials if different tenant

    Backup Configuration

  • Include Device Configurations: Yes
  • Include Compliance Policies: Yes
  • Include App Protection Policies: Yes
  • Include Conditional Access: Yes
  • Include Autopilot Profiles: Yes
  • Include All Other Policies: Yes

    7.3 Test Connection

  1. 1Click Test Connection
  2. 1Wait for validation:
- Authentication successful - Graph API access verified - Intune data readable
  1. 1Click Save Tenant

    Step 8: Configure Backup Schedule

    Let's set up automated backups for your tenant.

    8.1 Navigate to Schedules

  2. 1Click on your tenant name
  3. 1Go to Backup Schedule tab

    8.2 Create Schedule

  4. 1Click + New Schedule
  5. 1Configure schedule settings:

    Schedule Type

  • Frequency: Daily
  • Time: 2:00 AM (your timezone)
  • Days: All days (for daily)

    Advanced Options

  • Retry on failure: Enabled
  • Max retries: 3
  • Notification on failure: Enabled
  • Notification on success: Disabled (unless needed)

    8.3 Enable Schedule

  1. 1Toggle Schedule Status* to *Enabled
  2. 1Click Save Schedule
  3. 1You'll see "Next backup in X hours"

    8.4 Manual Backup (Optional)

To test immediately:
  1. 1Click Backup Now
  2. 1Confirm by clicking Yes, start backup
  3. 1Monitor progress in the dashboard

    Step 9: Verify Setup

    Let's ensure everything is working correctly.

    9.1 Check Dashboard

  4. 1Navigate to Dashboard
  5. 1Verify you see:
- Tenant card showing "Healthy" status - Next backup countdown - Storage account connected - No error messages

9.2 Run Test Backup

  1. 1Go to Tenants → Select your tenant
  2. 1Click Backup Now
  3. 1Monitor the backup progress:
- Status changes to "In Progress" - Progress bar shows advancement - Policies being backed up are listed

9.3 Verify Backup Files

  1. 1After backup completes, go to Backup History
  2. 1You should see:
- Backup entry with timestamp - Status: Success - Number of policies backed up - File size

9.4 Check Storage Account

  1. 1In Azure Portal, navigate to your storage account
  2. 1Go to Containers* → *intune-backups
  3. 1You should see folders structured as:

   intune-backups/
   └── [tenant-id]/
       └── [date]/
           └── [timestamp]/
               ├── device-configurations.json
               ├── compliance-policies.json
               ├── app-protection-policies.json
               └── ... other backup files

9.5 Test Notifications

  1. 1Go to Settings* → *Notifications
  2. 1Click Send Test Email
  3. 1Verify you receive the test email

    Post-Deployment Tasks

    Configure Additional Security

    Enable Private Endpoints (Optional)

  4. 1For enhanced security, configure private endpoints
  5. 1This restricts access to your virtual network only
  6. 1See Azure documentation for detailed steps

    Configure IP Restrictions

  7. 1In App Service settings
  8. 1Add your office IP ranges
  9. 1Restrict portal access to known locations

    Enable Azure AD Conditional Access

  10. 1Create policy for TenuVault portal
  11. 1Require MFA for all users
  12. 1Restrict to compliant devices

    Set Up Monitoring

    Configure Alerts

  13. 1In portal Settings* → *Alerts
  14. 1Enable alerts for:
- Backup failures - Storage quota warnings - Authentication errors - Drift detection

Application Insights

  1. 1Already configured during deployment
  2. 1View metrics in Azure Portal
  3. 1Set up custom dashboards

    Documentation and Training

    Document Your Configuration

  • Record all service principal IDs
  • Document backup schedules
  • Note retention policies
  • Create runbook for disaster recovery

    Train Your Team

  • Schedule training session
  • Create internal documentation
  • Assign backup administrators
  • Establish monitoring responsibilities

    Regular Maintenance Tasks

    Weekly

  • Review backup success rate
  • Check storage consumption
  • Verify latest backups

    Monthly

  • Review drift reports
  • Update documentation
  • Check for TenuVault updates
  • Review access logs

    Quarterly

  • Test restoration process
  • Review retention policies
  • Audit user access
  • Update runbooks if needed

    Troubleshooting Common Issues

    Portal Won't Load

  • Check App Service is running
  • Verify DNS resolution
  • Check firewall rules
  • Review Application Insights logs

    Authentication Fails

  • Verify app registration permissions
  • Check admin consent was granted
  • Ensure client secret hasn't expired
  • Verify tenant ID is correct

    Backups Not Running

  • Check Automation Account runbook status
  • Verify schedule is enabled
  • Review runbook execution logs
  • Check module versions

    Storage Access Denied

  • Verify managed identity permissions
  • Check storage firewall rules
  • Ensure containers exist
  • Review storage access logs

    Next Steps

    Congratulations! Your TenuVault deployment is complete. Here's what to do next:

    1. Review Best Practices: Read our Best Practices Guide

  1. 1Explore Features: Check the User Guide for detailed feature documentation
  2. 1Configure Drift Detection: See Drift Detection Guide
  3. 1Plan Recovery Procedures: Review Backup & Recovery Guide

    Getting Support

    If you encounter issues during deployment:

    1. Check the Troubleshooting Guide

  4. 1Review Azure Portal activity logs
  5. 1Check Application Insights for errors
  6. 1Visit our GitHub repository for known issues
  7. 1Join our community Discord for help

    Remember, TenuVault is continuously improved based on community feedback. Your successful deployment contributes to making Intune backup accessible to all organizations!

    ---

    Continue to the User Guide to learn about all portal features, or jump to the Backup & Recovery Guide to understand backup operations.

Getting StartedUser Guide