Installation Guide
Welcome to the installation guide for AZExecute. Follow these steps to get started with setting up your environment.
Step 1: Log in with an Azure Account
To begin using AZExecute, log in with your Azure Account. It is recommended to use an account with Global Admin permissions to ensure a smooth setup process.
Step 2: Consent to Service Principals
The next step is to consent to the various service principals required by AZExecute. This action will grant AZExecute access to your Azure tenant. Global Admin permissions are necessary to consent to these principals.
Navigate to the 'System' section and check the status of each required service principal. If consent is required, you will see options to 'Re-Consent' or 'Check'.
Below is a summary of the permissions required by the main service principal.
Note that all permissions are of the 'Delegated' type, meaning they are granted within the context of the logged-in user.
| API / Permissions Name | Type | Description |
|---|---|---|
| Azure DevOps - user_impersonation | Delegated | Have full access to Visual Studio Team Services REST APIs |
| Azure Key Vault - user_impersonation | Delegated | Have full access to the Azure Key Vault service |
| Azure Service Management - user_impersonation | Delegated | Access Azure Service Management as organization users |
| Microsoft Graph - Application.ReadWrite.All | Delegated | Read and write all applications |
| Microsoft Graph - Directory.AccessAsUser.All | Delegated | Access directory as the signed in user |
| Microsoft Graph - email | Delegated | View users' email address |
| Microsoft Graph - offline_access | Delegated | Maintain access to data you have given it access to |
| Microsoft Graph - openid | Delegated | Sign users in |
| Microsoft Graph - profile | Delegated | View users' basic profile |
| Microsoft Graph - RoleManagement.Read.Directory | Delegated | Read directory RBAC settings |
| Microsoft Graph - User.Read | Delegated | Sign in and read user profile |
| Microsoft Graph - User.ReadBasic.All | Delegated | Read all users' basic profiles |
Below is a summary of the permissions required by the application service principal.
Note that all permissions are of the 'Application' type, meaning they are used for the background task to update secrets in the tenant.
| API / Permissions Name | Type | Description |
|---|---|---|
| Microsoft Graph - Application.Read.All | Application | Read all applications |
| Microsoft Graph - Application.ReadWrite.OwnedBy | Application | Manage apps that this app creates or owns |
| Microsoft Graph - User.ReadBasic.All | Application | Read all users' basic profiles |
Below is a summary of the permissions required by the automation service principal.
Note that the openid permission is only given because consent needs to be given to something. This is a least priviliged approach.
| API / Permissions Name | Type | Description |
|---|---|---|
| Microsoft Graph - openid | Delegated | Sign users in |
Below is a summary of the permissions required by the VM service principal.
Note that the openid permission is only given because consent needs to be given to something. This is a least priviliged approach.
| API / Permissions Name | Type | Description |
|---|---|---|
| Microsoft Graph - openid | Delegated | Sign users in |
Step 3: Assign Roles to Service Principals
Some service principals require specific roles to be assigned to them. This can be done manually using the provided JSON code or automatically through the dropdown menus.
To assign roles manually:
Navigate to the 'Install Custom RBAC role' section.
Select 'JSON Code' and copy the code provided.
Paste the JSON code into the Azure portal to assign the roles.
To assign roles automatically:
Navigate to the 'Install Custom RBAC role' section.
Select 'Auto Install' and use the dropdown menus to select the appropriate roles and management groups.
Click 'Grant RBAC Access' to apply the roles.
These roles ensure that AZExecute can connect and execute VM tasks and automation in general. Please follow these steps carefully to complete the setup.
If you encounter any issues or need further assistance, please contact us at
info@azexecute.com. Our support team is here to help you.