Skip to main content
All CollectionsIntegrations
Single Tenant Dashboard Deployment: Integrate your Organization's Azure
Single Tenant Dashboard Deployment: Integrate your Organization's Azure

This article outlines the requirements for a customer's Azure subscription to integrate with a single tenant Dispel dashboard deployment

Matt Fulk avatar
Written by Matt Fulk
Updated over 3 months ago

For best results, Dispel recommends using a fully segmented Azure subscription that is designated exclusively for your Dispel deployment.

To properly deploy, Dispel will require 3 different kinds service principal accounts in your subscription. Those service principal accounts are:

  1. Engine Contributor: Dispel requires a service principal account for our back-end engine with read-write (Contributor-role) permissions. This account will be used by our back-end engine to build/configure/destroy virtual machines for your deployment.

  2. Health Monitor: Dispel requires a service principal account for automated health checking services with read-only (Reader-role) permissions. This account will only be used to monitor the health of the Dispel deployment, and generating automated alerts.

  3. Support Principal: Dispel requires access to this subscription for our senior operations team members and the main operations engineer for the customer account (speak with your Dispel contact for details) with read-write (Contributor-role) permissions. These accounts will be used for maintenance and support of the deployment. These accounts may be time-bound to comply with your organization's requirements, with the appropriate modifications to our standard SLAs.

For each account, we will need 

client-id 
tenant-id 
client-secret

so please keep those protected and handy.

Creating a Service Principal Account

Microsoft documentation for creating the service principal accounts can be found here: https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-1?tabs=bash

The above guide will walk you through:

  • Prerequisites for creating service principal accounts

    • In a subscription, you must have User Access Administrator or Role Based Access Control Administrator permissions, or higher, to create a service principal.

  • How to Create a service principal

  • Create a service principal with role and scope

  • Moving forward to create password or certificate based credentials for the service principal account. Dispel will require a client-secret for our integration.

Adding the Dispel Team to your Subscription

For the accounts created for the Dispel Operations Team managing your account, the following guide will help you add them to your subscription and manage their roles and access.

Microsoft documentation for adding an external user to your Azure subscription:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

This guide covers:

  • Prerequisites for adding new members (external) to a subscription

  • When to add a user - for example in line with Dispel's deployment

  • The differences between guest and member users

  • Adding an external user to your directory

  • Assigning roles for those users

  • Common troubleshooting topics

Related Articles
System Components & Responsibility
Setting up EntraID Integration in Dispel's Dashboard
Did this answer your question?