Configuring Azure Permissions

In this step you will add permissions required for developers that will deploy and configure the applications in Azure.

When adding the permissions, use one of the following options:

  • Use an existing account with the required permissions as described in Prerequisites.
  • Create a Resource Group and add a custom role using the Azure Resource Group predefined permissions template provided by Yubico. The steps to create the group are described in the following.

Creating a Resource Group

If not already available, you must first create an Azure Resource Group to be able to add the required user permissions.

To create a Resource group, do the following:

  1. Log in to the Azure Portal.
  2. Search for and select “Resource groups”.
  3. Click Create.
  4. Select the appropriate Subscription and Region, and provide a descriptive Resource group name, for example “Yubico FIDO Pre-reg Service”.
  5. Click Review + create.

Adding a Custom Role

To add a custom role with the required permissions, do the following:

  1. In the Azure portal, create a custom role with the permissions from the predefined permissions template scoped to the previously created Resource group.
  2. When the custom role is created, assign the new “Privileged administrator role” to the user or the security group that is deploying the resources.

Note

The “Microsoft.Authorization/roleAssignments/write” permission results in the new role being a “Privileged administrator role”.

Assigning an Email License

To support the PIN mailing function, the designated sender account will need to have the required licensing. The setup in this example uses the Microsoft 365 email service. If you want to use a different email service, you can update the “Send_shipment_pin Logic App flow” after the deployment to use your preferred delivery service.

To assign an Microsoft 365 license to the account, do the following:

  1. Log in to the Microsoft 365 admin center.
  2. Go to Billing > Licenses and assign a license granting access to Microsoft 365. If your organization requires additional licenses you might need to reach out to your Billing Account Owner or Billing Account Contributor.