Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update README.md #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update README.md #10

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion Azure-ARM/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ Here's **how** it will be deployed. You must have a Managed Identity created to
2. **DNS Zone Contributor** role to the particular DNS zone where the entry will be created OR **Contributor** role to the DNS Zone Resource Group.This is needed only if updating DNS hosted in Azure. To follow best practice for least access, the DNS Zone Contributor on the zone itself is the recommended option.
3. **Application Administrator** role in Azure Active Directory, so the Application registration can be created by the Deployment Managed Identity and the required permissions can be assigned to it.
4. **Managed Identity Contributor** and **User Access Administrator** at the Subscription level. These two are needed in order for the ARM template Deployment Managed Identity to be able to create the Key Vault specific Managed Identity that will be used by Profisee to pull the values stored in the Key Vault, as well as to assign the AKSCluster-agentpool the Managed Identity Operator role (to the Resource and Infrastructure Resource groups) and Virtual Machine Operator role (to the Infrastructure Resource group). If Key Vault will not be used, these roles are not required.
5. **Key Vault requirements**. If you are using a Key Vault, please make sure that your Access Policy page has a checkmark on "Azure Resource Manager for template deployment". Otherwise, MS will not be able to validate the ARM template's access against your Key Vault and will result in validation failure in the ARM template before it begins deployment.
5. **Key Vault requirements**. If you are using a Key Vault, please make sure that your Access Policy page has a checkmark on "Azure Resource Manager for template deployment". Otherwise, MS will not be able to validate the ARM template's access against your Key Vault and will result in validation failure in the ARM template before it begins deployment. Run the code below in PowerShell or Azure CLI to allow access to your Key Vault during template deployment.
```
PowerShell - Set-AzKeyVaultAccessPolicy -VaultName ExampleVault -EnabledForTemplateDeployment
Azure CLI - az keyvault update --name ExampleVault --enabled-for-template-deployment true
```
6. **Purview Integration requirements**. If Profisee will be configured to integrate with Microsoft Purview, a Purview specific Application Registration will need to be created and have the **Collections Admin** and **Data Curator Role** assigned in the Purview account. It will also have to be assigned the User.Read **delegated** permission as well as the User.Read.All, Group.Read.All and GroupMember.Read.All **application** permissions (these 3 required Global Admin consent). During the ARM template deployment you will now have to provide the Purview collection friendly name, as seen in the Purview web portal, regardless if this is a sub-collection or the root collection of Purview.


Expand Down