Azure PaaS platform initial deployment is an automated process after you've configured the listed requirements. All new Privilege Manager versions will be automatically updated from Recast Software to the customers Azure PaaS platform.
To enable automatic and continuous deployment, configure the following in the target Azure subscription where Privilege Manager PaaS resources are located:
Azure AD App Registration
To allow authentication to Azure resources for deployments, an Azure AD App Registration must be created to target Azure subscription.
For instructions on creating Azure AD App Registration, see Create an Azure AD app and service principal in the portal - Microsoft identity platform | Microsoft Docs (these instructions are referenced below).
Use the following guidelines when creating the Azure AD App Registration:
- Name of the application (can be anything) at step 5. in Register an application with Azure AD and create a service principal
- Privilege Manager Continuous Deployment
- No need to specify Redirect URI at step 5. in Register an application with Azure AD and create a service principal
- Grant Contributor and SQL Security Manager roles for the Azure AD application at step 5. in Assign a role to the application
- If you use Resource Group as a scope (recommended) then grant both roles to the Resource Group
- If you use each Azure PaaS resource (App Services and SQL Server) as a scope then grant Contributor role for both App Service and SQL Security Manager for SQL Server
- Create shared secret to Azure AD App Registration at option 2 in Create a new application secret
- Remember to take a note of the created shared secret value!
- Collect Azure AD App Registration information at Get tenant and app ID values for signing in
- Directory ID
- Application ID
- Send the following information to Recast at support@recastsoftware.com:
- Azure AD App Registration information
- Directory ID, Application ID and secret value (from previous steps)
- Azure SQL Database information (for the SQL Database created using these instructions)
- Azure Subscription ID (from Azure Portal the Subscription ID value at SQL Database resource Overview page)
- Azure Resource Group name (from Azure Portal the Resource group value at SQL Database resource Overview page)
- Azure SQL Database connection string (from Azure Portal the ADO.NET (SQL authentication) connection string at SQL Database resource Connection strings page)
- Azure SQL Database user account password (for the user account specified in connection string)
- Azure App Service information (for the Privilege Manager Portal and Agent Gateway created using these instructions)
- Azure Subscription name (from Azure Portal the Subscription value at App Service resource Overview page)
- Azure Subscription ID (from Azure Portal the Subscription ID value at App Service resource Overview page)
- App Service name for Privilege Manager Portal (from Azure Portal the name of the at Privilege Manager Portal App Service resource)
- App Service name for Agent Gateway (from Azure Portal the name of the at Agent Gateway App Service resource)
- Information of which Azure AD group's members should be allowed to use Self Service for getting temporary admin privileges
- Group's Object ID
- For each group, let us know if the group members should be able elevate their Azure AD account, or just elevate by using the local user account. Detailed information about all possible configurations can be found from self-service configuration.
- Azure AD App Registration information
Tip! You should encrypt the email sent to the Recast support or send Azure AD App Registration secret value and SQL Database user password via a separate channel. If you want to use a separate channel for secure information include a note to your email and then Recast support will agree to a secure channel to be used with you.