.. deploy-azure.rst .. _deploy-azure: ============================== Deploying to Azure ============================== In this step you will deploy the Yubico FIDO Connector App itself along with the underlying infrastructure and required configuration changes. .. _prereq-deploy: Prerequisites =============== Before you start the deployment, ensure you have the following: * Access to a YubiEnterprise Console organization with FIDO Pre-reg enabled, along with a YubiEnterprise API token. See `Generating API Tokens `_. * An ARM Template JSON file, provided by Yubico. * A Docker Image for the Container app, provided by Yubico. The Docker image contains the Registry name/password used in the deployment. * Completed all steps in the :ref:`config-entra-id`. This includes developer permissions to deploy Azure services, along with FIDO policies, as well as :ref:`App registrations `. Deployment Steps =================== Follow these steps to deploy the components in Azure: 1. :ref:`Deploy the ARM template ` 2. :ref:`Modify private endpoints for Azure Vault and Storage ` 3. :ref:`Configure the Container app ` 4. :ref:`Grant permissions to the Container app ` 5. :ref:`Grant permissions to the Logic App ` 6. :ref:`Authorize Logic App to use Office 365 connector ` Each step is described in detail in the following. .. _deploy-arm-template: Deploying ARM Template ------------------------- To deploy the ARM template, do the following: 1. Log in to the `Azure portal `_. 2. In the **Home** view, search for and select “Deploy a custom template”. 3. Click **Build your own template in the editor**. 4. Click **Load file**, then select the ARM template file provided by Yubico. 5. Click **Save**. 6. In the configuration menu, provide the following values: * **Subscription:** Select your Azure Subscription. * **Resource group:** Select or create a resource group for this deployment. * **Region:** Leave as default, all resources are deployed to the local region of the resource group. * **YED_API_TOKEN:** Paste in the token generated in :ref:`prereq-deploy`. * **Key Vault_Resource_Name:** Provide a unique name for your key vault instance. * **Container_App_Name:** Provide a unique name for your container app. * **Container_Registry_Name:** Use the Registry name from :ref:`prereq-deploy`. * **Container_Image_Name_Tag:** Use the Registry Container Image name and version Tag from :ref:`prereq-deploy`. * **Container_Registry_User:** Use the Registry user name from :ref:`prereq-deploy`. * **Container_Registry_Password:** Use the Registry password from :ref:`prereq-deploy`. * **FIDO_Connector_Client_Id:** Client ID from the :ref:`app registration `. * **FIDO_Connector_Client_Secret:** Client Secret from the :ref:`app registration `. * **FIDO_Connector_Allowed_Audiences:** List of scopes/audiences that a client application must use for calling the app’s API. The default value used earlier was ``api://fido-connector-api.{verified domain name}``. Ensure this is formatted as an array of strings, for example ``["scope_1", "scope_2"]``. * **FIDO_Connector_Allowed_Client_Apps:** List of app registrations that are allowed to call this app’s API, as registered in :ref:`client app registrations `. The optional app registration, if performed, can be used as the ID string. Ensure that the formatting is an array of strings including each client app ID. Example: ``["client_app_id_1"]``. * **Storage Account_Resource_Name:** Provide a unique name for your storage instance. * **Workflows_Send_shipment_pin_name:** Leave as default, or enter a name based on your preferred naming convention. 7. Click **Review + create**. 8. When the validation completes, click **Create** and wait for your application to deploy. .. note:: The following parameters in the ARM template have appropriate predefined values for standard Microsoft Azure deployments. They do not need to be changed unless specifically advised by your IT department, for example for government deployments: * ``MS_Login_Online_Endpoint`` * ``MS_Graph_Endpoint`` * ``Azure_Mgmt_Endpoint`` * ``Azure_Storage`` * ``Azure_Vault`` .. _modify-private-endpoint: Modifying Private Endpoints ----------------------------- The ARM template includes a reference implementation of a virtual network, subnet and private endpoints for Azure Vault and Storage resources used by the FIDO Connector Container App. You can use this reference as a basis to further modify as per the network settings of your environment. The predefined values of the following parameters typically do not need to be changed. * ``virtualNetworkName`` * ``virtualNetworkAddressPrefix`` * ``subnetName`` * ``subnetAddressPrefix`` * ``keyVaultPrivateEndpointName`` * ``tableStorageAccountPrivateEndpointName`` .. _config-container-app: Configuring Container App --------------------------- To configure environment variables for the Container app, do the following: 1. In your **Container App** resource, go to **Application** > **Containers**. 2. Click **Edit and deploy**. 3. In the **Properties** tab, set the **Image source** to “Docker Hub or other registries”. 4. In the **Container** tab, click **yubicofidopreregcontainer** in the **Container Image** section. 5. On the **Properties** tab, for **Image source** select “Docker Hub or Other Registries”. 6. Click **Environment Variables**. 7. Set **SEND_PIN_URL** as follows: a. Go to your **Resource Group**. b. Open the logic app resource **Send_shipment_pin**. c. Copy the value “Workflow URL”. d. Paste it into the **SEND_PIN_URL** value field. e. Click **Save**. 8. Click **Create**. 9. Wait for your application to instantiate. .. _grant-cont-app-perm: Granting Container App Permissions ------------------------------------ .. note:: This step requires *Owner* role, or role that can create role assignments. To configure the managed identity for the Container app, do the following: 1. In your **Container App** resource, go to **Settings** > **Identity**. 2. Click **Azure role assignments**. 3. Click **Add role assignment** and apply the following values: a. **Scope:** Key Vault. b. **Subscription:** Your subscription. c. **Resource:** The Key Vault deployed by this project. d. **Role:** Key Vault Administrator. 4. Click **Save**. 5. Click **Add role assignment** and configure as follows: a. **Scope:** Storage. b. **Subscription:** Your subscription. c. **Resource:** The Storage Account deployed by this project. d. **Role:** Storage Table Data Contributor. 6. Click **Save**. .. _grant-logic-app-perm: Granting Logic App Permissions -------------------------------- .. note:: These configuration steps require either the *Privileged Role Administrator* or *Global Administrator* roles. To add authorization for the Send_shipment_pin Logic App to call the Microsoft Graph API, do the following: 1. In the **Send_shipment_pin** Logic App, go to the resource group where the **Send_shipment_pin** Logic App was deployed. 2. Select the “Send_shipment_pin” Logic App. 3. Go to **Settings** > **Identity**. 4. Copy the value for **Object (principal) ID**. 5. Go to **Entra ID** in the **Azure portal**. 6. Go to **Manage** > **Role and administrators**. 7. Select the role “Directory Readers”. 8. Click **+ Add assignments**. 9. Under **Select members**, select “No member selected”. 10. In the search field, paste the "Object (principal) ID" copied from step 4. 11. Select the Enterprise Application displayed and click **Select**. 12. Click **Next**. 13. Ensure the **Assignment type** is selected as "Active". 14. Enter a justification and click **Assign**. .. _auth-office-use: Authorizing Office 365 Usage ----------------------------- To authorize the Send_shipment_pin Logic App to use the Office 365 connector, do the following: 1. In the **Send_shipment_pin** Logic App, go to the resource group where the **Send_shipment_pin** Logic App was deployed. 2. Select the "Send_shipment_pin" Logic App. 3. Go to **Development tools** > **API connections**. 4. Select the “office365” connection. 5. Go to **General** > **Edit API connection**. 6. Click **Authorize**. 7. Log in with the account that will be used as sender of Yubico FIDO Pre-reg PIN emails. 8. When logged in, click **Save**.