Azure
diff --git a/‎src/DataProtection/DataProtection.Autorest/Az.DataProtection.format.ps1xml
Lines changed: 2 additions & 2 deletions b/‎src/DataProtection/DataProtection.Autorest/Az.DataProtection.format.ps1xml
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/DataProtection/DataProtection.Autorest/README.md
Lines changed: 1 addition & 1 deletion b/‎src/DataProtection/DataProtection.Autorest/README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/BackupInstance/Initialize-AzDataProtectionBackupInstance.ps1
Lines changed: 26 additions & 1 deletion b/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/BackupInstance/Initialize-AzDataProtectionBackupInstance.ps1
Lines changed: 26 additions & 1 deletion
diff --git a/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/BackupInstance/Update-AzDataProtectionBackupInstance.ps1
Lines changed: 25 additions & 0 deletions b/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/BackupInstance/Update-AzDataProtectionBackupInstance.ps1
Lines changed: 25 additions & 0 deletions
diff --git a/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/New-AzDataProtectionBackupVault.ps1
Lines changed: 1 addition & 1 deletion b/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/New-AzDataProtectionBackupVault.ps1
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/Set-AzDataProtectionMSIPermission.ps1
Lines changed: 56 additions & 21 deletions b/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/Set-AzDataProtectionMSIPermission.ps1
Lines changed: 56 additions & 21 deletions
diff --git a/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/Update-AzDataProtectionBackupVault.ps1
Lines changed: 1 addition & 1 deletion b/‎src/DataProtection/DataProtection.Autorest/custom/Cmdlets/Platform/Vault/Update-AzDataProtectionBackupVault.ps1
Lines changed: 1 addition & 1 deletion
@@ -96,9 +96,9 @@
       </TableControl>
     </View>
     <View>
-      <Name>Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api40.ErrorDetail</Name>
+      <Name>Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api50.ErrorDetail</Name>
       <ViewSelectedBy>
-        <TypeName>Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api40.ErrorDetail</TypeName>
+        <TypeName>Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api50.ErrorDetail</TypeName>
       </ViewSelectedBy>
       <TableControl>
         <TableHeaders>
 
@@ -31,7 +31,7 @@ This file contains the configuration for generating My API from the OpenAPI spec
 
 ``` yaml
 # it's the same options as command line options, just drop the double-dash!
-commit: 72f52bc8847a889488da885f40d6871a89e0470b
+commit: 4aad50a36767f7c36673f2c7982bb4055dbf5ed4
 require:
   - $(this-folder)/../../readme.azure.noprofile.md
 input-file:
 
@@ -42,7 +42,16 @@
 
         [Parameter(Mandatory=$false, HelpMessage='Backup configuration for backup. Use this parameter to configure protection for AzureKubernetesService,AzureBlob.')]
         [Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20240401.IBackupDatasourceParameters]
-        ${BackupConfiguration}
+        ${BackupConfiguration},
+
+        [Parameter(Mandatory=$false, HelpMessage='Use system assigned identity')]
+        [System.Nullable[System.Boolean]]
+        ${UseSystemAssignedIdentity},
+
+        [Parameter(Mandatory=$false, HelpMessage='User assigned identity ARM Id')]
+        [Alias('AssignUserIdentity')]
+        [System.String]
+        ${UserAssignedIdentityArmId}
     )
 
     process {
@@ -96,6 +105,22 @@
             $backupInstance.PolicyInfo.PolicyId = $PolicyId
         }
 
+        $hasUseSystemAssignedIdentity = $PSBoundParameters.Remove("UseSystemAssignedIdentity")
+        $hasUserAssignedIdentityArmId = $PSBoundParameters.Remove("UserAssignedIdentityArmId")
+        if ($hasUseSystemAssignedIdentity -or $hasUserAssignedIdentityArmId) {
+            
+            if ($hasUserAssignedIdentityArmId -and (!$hasUseSystemAssignedIdentity -or $UseSystemAssignedIdentity)) {
+                throw "UserAssignedIdentityArmId cannot be provided without UseSystemAssignedIdentity and UseSystemAssignedIdentity must be false when UserAssignedIdentityArmId is provided."
+            }
+            
+            $backupInstance.IdentityDetail = [Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20240401.IdentityDetails]::new()
+            $backupInstance.IdentityDetail.UseSystemAssignedIdentity = $UseSystemAssignedIdentity            
+
+            if ($hasUserAssignedIdentityArmId) {
+                $instance.Property.IdentityDetail.UserAssignedIdentityArmUrl = $UserAssignedIdentityArmId
+            }
+        }
+
         # secret store authentication
         if($PSBoundParameters.ContainsKey("SecretStoreURI"))
         {            
 
@@ -27,6 +27,15 @@ function Update-AzDataProtectionBackupInstance
         [System.String]
         ${PolicyId},
 
+        [Parameter(Mandatory=$false, HelpMessage='Use system assigned identity')]
+        [System.Nullable[System.Boolean]]
+        ${UseSystemAssignedIdentity},
+
+        [Parameter(Mandatory=$false, HelpMessage='User assigned identity ARM Id')]
+        [Alias('AssignUserIdentity')]
+        [System.String]
+        ${UserAssignedIdentityArmId},
+
         [Parameter(Mandatory=$false, HelpMessage='List of containers to be backed up inside the VaultStore. Use this parameter for DatasourceType AzureBlob.')]
         [System.String[]]
         ${VaultedBackupContainer},
@@ -98,6 +107,8 @@ function Update-AzDataProtectionBackupInstance
     {
         $hasPolicyId = $PSBoundParameters.Remove("PolicyId")
         $hasVaultedBackupContainer = $PSBoundParameters.Remove("VaultedBackupContainer")
+        $hasUseSystemAssignedIdentity = $PSBoundParameters.Remove("UseSystemAssignedIdentity")
+        $hasUserAssignedIdentityArmId = $PSBoundParameters.Remove("UserAssignedIdentityArmId")        
 
         $instance = Az.DataProtection\Get-AzDataProtectionBackupInstance @PSBoundParameters
 
@@ -107,6 +118,20 @@ function Update-AzDataProtectionBackupInstance
 
         $DatasourceType =  GetClientDatasourceType -ServiceDatasourceType $instance.Property.DataSourceInfo.Type 
         # $manifest = LoadManifest -DatasourceType $DatasourceType.ToString()
+
+        if ($hasUseSystemAssignedIdentity -or $hasUserAssignedIdentityArmId) {
+            
+            if ($hasUserAssignedIdentityArmId -and (!$hasUseSystemAssignedIdentity -or $UseSystemAssignedIdentity)) {
+                throw "UserAssignedIdentityArmId cannot be provided without UseSystemAssignedIdentity and UseSystemAssignedIdentity must be false when UserAssignedIdentityArmId is provided."
+            }
+            
+            $instance.Property.IdentityDetail = [Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20240401.IdentityDetails]::new()
+            $instance.Property.IdentityDetail.UseSystemAssignedIdentity = $UseSystemAssignedIdentity            
+
+            if ($hasUserAssignedIdentityArmId) {
+                $instance.Property.IdentityDetail.UserAssignedIdentityArmUrl = $UserAssignedIdentityArmId
+            }
+        }
 
         if($hasVaultedBackupContainer){
 
 
@@ -67,7 +67,7 @@
         ${Tag},
 
         [Parameter(Mandatory=$false, HelpMessage='Gets or sets the user assigned identities.')]
-        [Alias('UserAssignedIdentity')]
+        [Alias('UserAssignedIdentity', 'AssignUserIdentity')]
         [System.Collections.Hashtable]
         ${IdentityUserAssignedIdentity},
 
 
@@ -1,4 +1,32 @@
-function Set-AzDataProtectionMSIPermission {
+function Get-VaultIdentity {
+    
+    [Microsoft.Azure.PowerShell.Cmdlets.DataProtection.DoNotExportAttribute()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [System.Object] $vault,
+
+        [Parameter(Mandatory=$false)]
+        [System.String] $UserAssignedIdentityARMId
+    )
+
+    #Determine the vault MSI to be used
+    $vaultIdentity = $null
+    if ($UserAssignedIdentityARMId) {        
+        $vaultIdentity = $vault.Identity.UserAssignedIdentity[$UserAssignedIdentityARMId].PrincipalID
+        Write-Host "Using Vault UAMI with ARMId: $UserAssignedIdentityARMId with Principal ID: $vaultIdentity"
+    } else {
+        $vaultIdentity = $vault.Identity.PrincipalId
+        Write-Host "Using system-assigned identity with Principal ID: $vaultIdentity"
+    }
+
+    if (-not $vaultIdentity) {
+        throw "Vault identity could not be determined. Please check the UserAssignedIdentityARMId or the vault configuration."
+    }
+
+    return $vaultIdentity
+}
+
+function Set-AzDataProtectionMSIPermission {
     [OutputType('System.Object')]
     [CmdletBinding(PositionalBinding=$false, SupportsShouldProcess, ConfirmImpact = 'High')]
     [Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Description('Grants required permissions to the backup vault and other resources for configure backup and restore scenarios')]
@@ -46,7 +74,12 @@
 
         [Parameter(ParameterSetName="SetPermissionsForRestore", Mandatory=$false, HelpMessage='Target storage account ARM Id. Use this parameter for DatasourceType AzureDatabaseForMySQL, AzureDatabaseForPGFlexServer.')]
         [System.String]
-        ${StorageAccountARMId}
+        ${StorageAccountARMId},
+
+        [Parameter(Mandatory=$false, HelpMessage='User Assigned Identity ARM ID of the backup vault to be used for assigning permissions')]
+        [Alias('AssignUserIdentity')]
+        [System.String]
+        ${UserAssignedIdentityARMId}
     )
 
     process {
@@ -95,7 +128,8 @@
               $manifest = LoadManifest -DatasourceType $DatasourceTypeInternal.ToString()              
 
               $vault = Az.DataProtection\Get-AzDataProtectionBackupVault -VaultName $VaultName -ResourceGroupName $VaultResourceGroup -SubscriptionId $subscriptionIdInternal
-
+              $vaultIdentity = Get-VaultIdentity -vault $vault -UserAssignedIdentityARMId $UserAssignedIdentityARMId
+                            
               if(-not $manifest.supportRestoreGrantPermission){
                   $err = "Set permissions for restore is currently not supported for given DataSourceType"
                   throw $err
@@ -152,7 +186,7 @@
 
                   foreach($Permission in $manifest.snapshotRGPermissions)
                   {
-                      $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                      $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
 
                       # CSR: $SubscriptionName might be different when we add cross subscription restore
                       $CheckPermission = $AllRoles | Where-Object { ($_.Scope -eq $SnapshotResourceGroupId -or $_.Scope -eq $SubscriptionName) -and $_.RoleDefinitionName -eq $Permission}
@@ -166,7 +200,7 @@
                       {
                           $MissingRolesInitially = $true
 
-                          AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $SnapshotResourceGroupId -ResourceGroup $SnapshotResourceGroupId -Subscription $SubscriptionName
+                          AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $SnapshotResourceGroupId -ResourceGroup $SnapshotResourceGroupId -Subscription $SubscriptionName
 
                           Write-Host "Assigned $($Permission) permission to the backup vault over snapshot resource group with Id $($SnapshotResourceGroupId)"
                       }
@@ -176,7 +210,7 @@
               foreach($Permission in $manifest.datasourcePermissionsForRestore)
               {
                   # set context to the subscription where ObjectId is present
-                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
 
                   $CheckPermission = $AllRoles | Where-Object { ($_.Scope -eq $DataSourceId -or $_.Scope -eq $ResourceRG -or  $_.Scope -eq $SubscriptionName) -and $_.RoleDefinitionName -eq $Permission}
 
@@ -189,7 +223,7 @@
                   {
                       $MissingRolesInitially = $true
 
-                      AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
+                      AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
 
                       Write-Host "Assigned $($Permission) permission to the backup vault over DataSource with Id $($DataSourceId)"
                   }
@@ -198,7 +232,7 @@
               foreach($Permission in $manifest.storageAccountPermissionsForRestore)
               {
                   # set context to the subscription where ObjectId is present
-                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
 
                   $targetResourceArmId = $restoreRequest.RestoreTargetInfo.TargetDetail.TargetResourceArmId
 
@@ -237,7 +271,7 @@
                   {
                       $MissingRolesInitially = $true
 
-                      AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $storageAccId -ResourceGroup $storageAccResourceGroupId -Subscription $storageAccountSubId
+                      AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $storageAccId -ResourceGroup $storageAccResourceGroupId -Subscription $storageAccountSubId
 
                       Write-Host "Assigned $($Permission) permission to the backup vault over  storage account with Id $($storageAccId)"
                   }
@@ -255,8 +289,9 @@
               $subscriptionId = $ResourceArray[2]
 
               $vault = Az.DataProtection\Get-AzDataProtectionBackupVault -VaultName $VaultName -ResourceGroupName $VaultResourceGroup -SubscriptionId $ResourceArray[2]
-          
-              $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+              $vaultIdentity = Get-VaultIdentity -vault $vault -UserAssignedIdentityARMId $UserAssignedIdentityARMId
+              
+              $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
 
               # If more DataSourceTypes support this then we can make it manifest driven
               if($DatasourceType -eq "AzureDatabaseForPostgreSQL")
@@ -341,11 +376,11 @@
                           $KeyVault = Get-AzKeyVault -VaultName $KeyvaultName 
                           $KeyVaultAccessPolicies = $KeyVault.AccessPolicies
 
-                          $KeyVaultAccessPolicy =  $KeyVaultAccessPolicies | Where-Object {$_.ObjectID -eq $vault.Identity.PrincipalId}
+                          $KeyVaultAccessPolicy =  $KeyVaultAccessPolicies | Where-Object {$_.ObjectID -eq $vaultIdentity}
 
                           if($KeyVaultAccessPolicy -eq $null)
                           {                         
-                            Set-AzKeyVaultAccessPolicy -VaultName $KeyvaultName -ObjectId $vault.Identity.PrincipalId -PermissionsToSecrets Get,List -Confirm:$False 
+                            Set-AzKeyVaultAccessPolicy -VaultName $KeyvaultName -ObjectId $vaultIdentity -PermissionsToSecrets Get,List -Confirm:$False 
                             break
                           }
 
@@ -355,7 +390,7 @@
                           [String[]]$FinalKeyvaultAccessPolicyPermissions = $KeyvaultAccessPolicyPermissions
                           $FinalKeyvaultAccessPolicyPermissions = $FinalKeyvaultAccessPolicyPermissions | select -uniq                      
 
-                          Set-AzKeyVaultAccessPolicy -VaultName $KeyvaultName -ObjectId $vault.Identity.PrincipalId -PermissionsToSecrets $FinalKeyvaultAccessPolicyPermissions -Confirm:$False 
+                          Set-AzKeyVaultAccessPolicy -VaultName $KeyvaultName -ObjectId $vaultIdentity -PermissionsToSecrets $FinalKeyvaultAccessPolicyPermissions -Confirm:$False 
                      }
                      catch{
                          $err = $_
@@ -376,7 +411,7 @@
                       {
                           $MissingRolesInitially = $true
 
-                          AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $KeyVaultId -ResourceGroup $KeyvaultRG -Subscription $KeyvaultSubscriptionName
+                          AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $KeyVaultId -ResourceGroup $KeyvaultRG -Subscription $KeyvaultSubscriptionName
 
                           Write-Host "Assigned $($Permission) permission to the backup vault over key vault with Id $($KeyVaultId)"
                       }
@@ -435,7 +470,7 @@
                   $SnapshotResourceGroupId = $BackupInstance.Property.PolicyInfo.PolicyParameter.DataStoreParametersList[0].ResourceGroupId
 
                   # CSR: $SubscriptionName might be different when we add cross subscription restore
-                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
                   $CheckPermission = $AllRoles | Where-Object { ($_.Scope -eq $SnapshotResourceGroupId -or $_.Scope -eq $SubscriptionName)  -and $_.RoleDefinitionName -eq $Permission}
 
                   if($CheckPermission -ne $null)
@@ -447,15 +482,15 @@
                   {
                       $MissingRolesInitially = $true
 
-                      AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $SnapshotResourceGroupId -ResourceGroup $SnapshotResourceGroupId -Subscription $SubscriptionName
+                      AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $SnapshotResourceGroupId -ResourceGroup $SnapshotResourceGroupId -Subscription $SubscriptionName
 
                       Write-Host "Assigned $($Permission) permission to the backup vault over snapshot resource group with Id $($SnapshotResourceGroupId)"
                   }
               }
 
               foreach($Permission in $manifest.datasourcePermissions)
               {
-                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
                   $CheckPermission = $AllRoles | Where-Object { ($_.Scope -eq $DataSourceId -or $_.Scope -eq $ResourceRG -or  $_.Scope -eq $SubscriptionName) -and $_.RoleDefinitionName -eq $Permission}
 
                   if($CheckPermission -ne $null)
@@ -467,15 +502,15 @@
                   {
                       $MissingRolesInitially = $true
 
-                      AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $PermissionsScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
+                      AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $PermissionsScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
 
                       Write-Host "Assigned $($Permission) permission to the backup vault over DataSource with Id $($DataSourceId)"
                   }
               }
 
               foreach($Permission in $manifest.datasourceRGPermissions)
               {
-                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vault.Identity.PrincipalId
+                  $AllRoles = Az.Resources\Get-AzRoleAssignment -ObjectId $vaultIdentity
                   $CheckPermission = $AllRoles | Where-Object { ($_.Scope -eq $ResourceRG -or  $_.Scope -eq $SubscriptionName) -and $_.RoleDefinitionName -eq $Permission}
 
                   if($CheckPermission -ne $null)
@@ -493,7 +528,7 @@
                           $DatasourceRGScope = "ResourceGroup"
                       }
 
-                      AssignMissingRoles -ObjectId $vault.Identity.PrincipalId -Permission $Permission -PermissionsScope $DatasourceRGScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
+                      AssignMissingRoles -ObjectId $vaultIdentity -Permission $Permission -PermissionsScope $DatasourceRGScope -Resource $DataSourceId -ResourceGroup $ResourceRG -Subscription $SubscriptionName
 
                       Write-Host "Assigned $($Permission) permission to the backup vault over DataSource resource group with name $($ResourceRG)"
                   }
 
@@ -55,7 +55,7 @@
         ${Tag},
 
         [Parameter(ParameterSetName="UpdateExpanded",Mandatory=$false, HelpMessage='Gets or sets the user assigned identities.')]
-        [Alias('UserAssignedIdentity')]
+        [Alias('UserAssignedIdentity', 'AssignUserIdentity')]
         [System.Collections.Hashtable]
         ${IdentityUserAssignedIdentity},