Last reviewed: April 9, 2025
Installing ArchTechLytics on Microsoft Azure
This guide covers installing ArchTechLytics into your Azure environment using the Managed Application model from the Azure Marketplace.
๐ In this article:
- ๐ ๏ธ Prerequisites
- Function App Permissions
- ๐งพ App Registration Permissions and Admin Consent
- ๐ Azure Marketplace Deployment Steps
- โ Post-Install Checklist
๐ ๏ธ Prerequisites
To install ArchTechLytics, youโll need:
- If your organization has a change management process, review and seek approval to configure the required Function App Permissions.
- An Azure subscription with permission to create resource groups and assign roles
- Registration of the following resource providers in the subscription where ArchTechLytics will be deployed:
Microsoft.AppMicrosoft.AlertsManagement
To learn how to register resource providers, refer to:
๐ Register resource providers in Azure
You can register them using one of the following methods:
Azure CLI
az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.AlertsManagement
Azure PowerShell
Register-AzResourceProvider -ProviderNamespace Microsoft.App
Register-AzResourceProvider -ProviderNamespace Microsoft.AlertsManagement
Azure Portal
-
Go to the Subscriptions blade in the Azure Portal.
-
Select the subscription where youโll deploy ArchTechLytics.
-
In the left-hand menu, select Resource providers.
-
Search for Microsoft.App and Microsoft.AlertsManagement, then click Register for each.
Function App Permissions
The Function App deployed with ArchTechLytics requires Azure RBAC role assignments and Microsoft Graph Permissions (i.e. App Roles). A customer action notification will be sent via Azure Communication Services after ArchTechLytics is deployed, with instructions on when and how to grant these permissions.
Azure RBAC Reader Role at Tenant Root
The Function App requires the Azure RBAC Reader role assignment at the Tenant Root Management Group scope. This enables full visibility across all management groups and subscriptions ensure full accountability of all cloud resources deployed.
Microsoft Graph App Roles
The following Microsoft Graph App Roles are required by the ArchTechLytics Function App:
| App Role ID | Permission Name | Description |
|---|---|---|
dbb9058a-0e50-45d7-ae91-66909b5d4664 | Domain.Read.All | Read domain configuration |
498476ce-e0fe-48b0-b801-37ba7e2685c6 | Organization.Read.All | Read organization profile |
246dd0d5-5bd0-4def-940b-0421030a5b68 | Policy.Read.All | Read directory policies |
18a4783c-866b-4cc7-a460-3d5e5662c884 | Application.ReadWrite.OwnedBy | Manage apps owned by the identity |
๐งพ App Registration Permissions and Admin Consent
ArchTechLytics creates and manages two Entra ID app registrations during deployment:
ArchTechLytics-WebApp (Used for sign-in)
| API | Permission | Type |
|---|---|---|
| Microsoft Graph | Delegated | |
| Microsoft Graph | offline_access | Delegated |
| Microsoft Graph | openid | Delegated |
| Microsoft Graph | profile | Delegated |
| Microsoft Graph | User.Read | Delegated |
| ArchWebAPI | api.access | Delegated |
ArchTechLytics-WebAPI (Used for secure API access)
| API | Permission | Type |
|---|---|---|
| Azure Service Management (ARM) | user_impersonation | Delegated |
| Microsoft Graph | Application.Read.All | Application |
| Microsoft Graph | Policy.Read.All | Application |
| Microsoft Graph | User.Read.All | Application |
| Microsoft Graph | Delegated | |
| Microsoft Graph | offline_access | Delegated |
| Microsoft Graph | openid | Delegated |
| Microsoft Graph | profile | Delegated |
| Microsoft Graph | User.Read | Delegated |
โ A Global Administrator or Privileged Role Administrator is required to grant consent to both app registrations.
You will receive an email notification after deployment with instructions on when and how to grant consent.
๐ Azure Marketplace Deployment Steps
- Go to the ArchTechLytics Azure Marketplace Offer
-
Click โGet It Nowโ
Choose the subscription and region where you want to deploy ArchTechLytics.๐ To evaluate whether your selected region has capacity for all required services (e.g., Cosmos DB, App Service), see the Deployed Resources Summary.
- Provide Install Inputs
Complete the guided form, including:- Subscription โ the Azure subscription to deploy into
- Resource Group Name โ where the Managed Application will live
- Notification Email โ used for alerts and permission requests
- Virtual Network Settings โ accept the default CIDR ranges or provide your own CIDR ranges for subnets
-
Review and Create
After submitting the install form, ArchTechLytics will go through a multi-stage deployment process:-
Stage 1 โ Azure Resource Provisioning
Azure deploys the Managed Application, Managed Resource Group, and all underlying services (e.g., Function App, Cosmos DB, App Config, etc.). - Stage 2 โ Initial Code Deployment & Orchestration
TechParadigm runs an Azure DevOps pipeline that:- Deploys initial code to the Function App
- Seeds Cosmos DB and App Configuration
- Creates the Entra ID App Registrations
- Triggers customer action notifications for permission assignment and admin consent
- Stage 3 โ Final Web App Deployment
After all post-provisioning tasks are complete, a final pipeline deploys the ArchTechLytics Web UI.
-
- Access the App
Once the web application is deployed, youโll receive an email with the login URL to the ArchTechLytics web portal. You can sign in using any Entra ID account in your tenant.
โ Post-Install Checklist
- Log in successfully
- Register a new System, assign Azure resources to it.
- Review insights provided from scoring.