.. config-azure-permissions.rst .. _config-azure-permission: ============================== Configuring Azure Permissions ============================== In this step you will add permissions required for developers that will deploy and configure the applications in Azure. When adding the permissions, use one of the following options: * Use an existing account with the required permissions as described in :ref:`prerequisites`. * Create a Resource Group and add a custom role using the Azure Resource Group :ref:`predefined permissions template ` provided by Yubico. The steps to create the group are described in the following. Creating a Resource Group =========================== If not already available, you must first create an Azure Resource Group to be able to add the required user permissions. To create a Resource group, do the following: 1. Log in to the `Azure Portal `_. 2. Search for and select “Resource groups”. 3. Click **Create**. 4. Select the appropriate Subscription and Region, and provide a descriptive Resource group name, for example “Yubico FIDO Pre-reg Service”. 5. Click **Review + create**. Adding a Custom Role ====================== To add a custom role with the required permissions, do the following: 1. In the **Azure portal**, create a custom role with the permissions from the :ref:`predefined permissions template ` scoped to the previously created Resource group. 2. When the custom role is created, assign the new “Privileged administrator role” to the user or the security group that is deploying the resources. .. note:: The “Microsoft.Authorization/roleAssignments/write” permission results in the new role being a “Privileged administrator role”. Assigning an Email License ============================ To support the PIN mailing function, the designated sender account will need to have the required licensing. The setup in this example uses the Microsoft 365 email service. If you want to use a different email service, you can update the “Send_shipment_pin Logic App flow” after the deployment to use your preferred delivery service. To assign an Microsoft 365 license to the account, do the following: 1. Log in to the `Microsoft 365 admin center `_. 2. Go to **Billing > Licenses** and assign a license granting access to Microsoft 365. If your organization requires additional licenses you might need to reach out to your Billing Account Owner or Billing Account Contributor.