Deploying to Azure

In this step you will deploy the Yubico FIDO Connector App itself along with the underlying infrastructure and required configuration changes.

Prerequisites

Before you start the deployment, ensure you have the following:

• Access to a YubiEnterprise Console organization with FIDO Pre-reg enabled, along with a YubiEnterprise API token. See Generating API Tokens.
• An ARM Template JSON file, provided by Yubico.
• A Docker Image for the Container app, provided by Yubico. The Docker image contains the Registry name/password used in the deployment.
• Completed all steps in the Configuring Microsoft Entra ID. This includes developer permissions to deploy Azure services, along with FIDO policies, as well as App registrations.

Deployment Steps

Follow these steps to deploy the components in Azure:

1. Deploy the ARM template
2. Modify private endpoints for Azure Vault and Storage
3. Configure the Container app
4. Grant permissions to the Container app
5. Grant permissions to the Logic App
6. Authorize Logic App to use Office 365 connector

Each step is described in detail in the following.

Deploying ARM Template

To deploy the ARM template, do the following:

1. Log in to the Azure portal.
2. In the Home view, search for and select “Deploy a custom template”.
3. Click Build your own template in the editor.
4. Click Load file, then select the ARM template file provided by Yubico.
5. Click Save.
6. In the configuration menu, provide the following values:
   • Subscription: Select your Azure Subscription.
   • Resource group: Select or create a resource group for this deployment.
   • Region: Leave as default, all resources are deployed to the local region of the resource group.
   • YED_API_TOKEN: Paste in the token generated in Prerequisites.
   • Key Vault_Resource_Name: Provide a unique name for your key vault instance.
   • Container_App_Name: Provide a unique name for your container app.
   • Container_Registry_Name: Use the Registry name from Prerequisites.
   • Container_Image_Name_Tag: Use the Registry Container Image name and version Tag from Prerequisites.
   • Container_Registry_User: Use the Registry user name from Prerequisites.
   • Container_Registry_Password: Use the Registry password from Prerequisites.
   • FIDO_Connector_Client_Id: Client ID from the app registration.
   • FIDO_Connector_Client_Secret: Client Secret from the app registration.
   • FIDO_Connector_Allowed_Audiences: List of scopes/audiences that a client application must use for calling the app’s API. The default value used earlier was api://fido-connector-api.{verified domain name}. Ensure this is formatted as an array of strings, for example ["scope_1", "scope_2"].
   • FIDO_Connector_Allowed_Client_Apps: List of app registrations that are allowed to call this app’s API, as registered in client app registrations. The optional app registration, if performed, can be used as the ID string. Ensure that the formatting is an array of strings including each client app ID. Example: ["client_app_id_1"].
   • Storage Account_Resource_Name: Provide a unique name for your storage instance.
   • Workflows_Send_shipment_pin_name: Leave as default, or enter a name based on your preferred naming convention.
7. Click Review + create.
8. When the validation completes, click Create and wait for your application to deploy.

Note

The following parameters in the ARM template have appropriate predefined values for standard Microsoft Azure deployments. They do not need to be changed unless specifically advised by your IT department, for example for government deployments:

• MS_Login_Online_Endpoint
• MS_Graph_Endpoint
• Azure_Mgmt_Endpoint
• Azure_Storage
• Azure_Vault

Modifying Private Endpoints

The ARM template includes a reference implementation of a virtual network, subnet and private endpoints for Azure Vault and Storage resources used by the FIDO Connector Container App. You can use this reference as a basis to further modify as per the network settings of your environment. The predefined values of the following parameters typically do not need to be changed.

• virtualNetworkName
• virtualNetworkAddressPrefix
• subnetName
• subnetAddressPrefix
• keyVaultPrivateEndpointName
• tableStorageAccountPrivateEndpointName

Configuring Container App

To configure environment variables for the Container app, do the following:

1. In your Container App resource, go to Application > Containers.
2. Click Edit and deploy.
3. In the Properties tab, set the Image source to “Docker Hub or other registries”.
4. In the Container tab, click yubicofidopreregcontainer in the Container Image section.
5. On the Properties tab, for Image source select “Docker Hub or Other Registries”.
6. Click Environment Variables.
7. Set SEND_PIN_URL as follows:
   1. Go to your Resource Group.
   2. Open the logic app resource Send_shipment_pin.
   3. Copy the value “Workflow URL”.
   4. Paste it into the SEND_PIN_URL value field.
   5. Click Save.
8. Click Create.
9. Wait for your application to instantiate.

Granting Container App Permissions

Note

This step requires Owner role, or role that can create role assignments.

To configure the managed identity for the Container app, do the following:

1. In your Container App resource, go to Settings > Identity.
2. Click Azure role assignments.
3. Click Add role assignment and apply the following values:
   1. Scope: Key Vault.
   2. Subscription: Your subscription.
   3. Resource: The Key Vault deployed by this project.
   4. Role: Key Vault Administrator.
4. Click Save.
5. Click Add role assignment and configure as follows:
   1. Scope: Storage.
   2. Subscription: Your subscription.
   3. Resource: The Storage Account deployed by this project.
   4. Role: Storage Table Data Contributor.
6. Click Save.

Granting Logic App Permissions

Note

These configuration steps require either the Privileged Role Administrator or Global Administrator roles.

To add authorization for the Send_shipment_pin Logic App to call the Microsoft Graph API, do the following:

1. In the Send_shipment_pin Logic App, go to the resource group where the Send_shipment_pin Logic App was deployed.
2. Select the “Send_shipment_pin” Logic App.
3. Go to Settings > Identity.
4. Copy the value for Object (principal) ID.
5. Go to Entra ID in the Azure portal.
6. Go to Manage > Role and administrators.
7. Select the role “Directory Readers”.
8. Click + Add assignments.
9. Under Select members, select “No member selected”.
10. In the search field, paste the “Object (principal) ID” copied from step 4.
11. Select the Enterprise Application displayed and click Select.
12. Click Next.
13. Ensure the Assignment type is selected as “Active”.
14. Enter a justification and click Assign.

Authorizing Office 365 Usage

To authorize the Send_shipment_pin Logic App to use the Office 365 connector, do the following:

1. In the Send_shipment_pin Logic App, go to the resource group where the Send_shipment_pin Logic App was deployed.
2. Select the “Send_shipment_pin” Logic App.
3. Go to Development tools > API connections.
4. Select the “office365” connection.
5. Go to General > Edit API connection.
6. Click Authorize.
7. Log in with the account that will be used as sender of Yubico FIDO Pre-reg PIN emails.
8. When logged in, click Save.