Installation Guide

Welcome to the installation guide for AZExecute. Follow these steps to get started with setting up your environment.


Step 1: Log in with an Azure Account

To begin using AZExecute, log in with your Azure Account. It is recommended to use an account with Global Admin permissions to ensure a smooth setup process.

Step 2: Consent to Service Principals

The next step is to consent to the various service principals required by AZExecute. This action will grant AZExecute access to your Azure tenant. Global Admin permissions are necessary to consent to these principals.

Navigate to the 'System' section and check the status of each required service principal. If consent is required, you will see options to 'Re-Consent' or 'Check'.

Install Custom RBAC role

Below is a summary of the permissions required by the main service principal.

Note that all permissions are of the 'Delegated' type, meaning they are granted within the context of the logged-in user.

API / Permissions Name Type Description
Azure DevOps - user_impersonation Delegated Have full access to Visual Studio Team Services REST APIs
Azure Key Vault - user_impersonation Delegated Have full access to the Azure Key Vault service
Azure Service Management - user_impersonation Delegated Access Azure Service Management as organization users
Microsoft Graph - Application.ReadWrite.All Delegated Read and write all applications
Microsoft Graph - Directory.AccessAsUser.All Delegated Access directory as the signed in user
Microsoft Graph - email Delegated View users' email address
Microsoft Graph - offline_access Delegated Maintain access to data you have given it access to
Microsoft Graph - openid Delegated Sign users in
Microsoft Graph - profile Delegated View users' basic profile
Microsoft Graph - RoleManagement.Read.Directory Delegated Read directory RBAC settings
Microsoft Graph - User.Read Delegated Sign in and read user profile
Microsoft Graph - User.ReadBasic.All Delegated Read all users' basic profiles

Below is a summary of the permissions required by the application service principal.

Note that all permissions are of the 'Application' type, meaning they are used for the background task to update secrets in the tenant.

API / Permissions Name Type Description
Microsoft Graph - Application.Read.All Application Read all applications
Microsoft Graph - Application.ReadWrite.OwnedBy Application Manage apps that this app creates or owns
Microsoft Graph - User.ReadBasic.All Application Read all users' basic profiles

Below is a summary of the permissions required by the automation service principal.

Note that the openid permission is only given because consent needs to be given to something. This is a least priviliged approach.

API / Permissions Name Type Description
Microsoft Graph - openid Delegated Sign users in

Below is a summary of the permissions required by the VM service principal.

Note that the openid permission is only given because consent needs to be given to something. This is a least priviliged approach.

API / Permissions Name Type Description
Microsoft Graph - openid Delegated Sign users in

Step 3: Assign Roles to Service Principals

Some service principals require specific roles to be assigned to them. This can be done manually using the provided JSON code or automatically through the dropdown menus.

To assign roles manually:

Navigate to the 'Install Custom RBAC role' section.

Select 'JSON Code' and copy the code provided.

Paste the JSON code into the Azure portal to assign the roles.

To assign roles automatically:

Navigate to the 'Install Custom RBAC role' section.

Select 'Auto Install' and use the dropdown menus to select the appropriate roles and management groups.

Click 'Grant RBAC Access' to apply the roles.

Install Custom RBAC role

These roles ensure that AZExecute can connect and execute VM tasks and automation in general. Please follow these steps carefully to complete the setup.


If you encounter any issues or need further assistance, please contact us at

info@azexecute.com

. Our support team is here to help you.

An unhandled error has occurred. Reload 🗙
An unhandled error has occurred. Reload 🗙