Azure - Use Existing Subscription Requirements

The Azure deployment requires a new Azure AD Application and Service Principal to be registered, with the “Contributor” role. These are created when the requisite powershell azure bootstrap configuration script is run within your Azure portal interface CLI console. There is no way to directly create a service principal using the Azure portal for someone else. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. Therefore, if you want to use an existing Azure subscription for this deployment, with minimum permissions given to users, we suggest one of the options described below. Please note that if you do not have a requirement for minimum necessary permissions, you can always perform the deployment as the “Owner” role on any subscription.

Option 1 (admin):

  • Have your Azure admin run the azure bootstrap configuration script. Make sure you also give them the customer name provided by Neverfail, the increment number, your GitHub token, and documentation on running the script.

Option 2 (non-admin):

  • Change App registrations on the Azure Active Directory to allow any user to register an app.

  • In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign a role to an AD app. This action is granted through the Owner role or User Access Administrator role. If your account is assigned the Contributor role, you don't have adequate permission. You will receive an error when attempting to assign the service principal a role.