# Install an Azure connector on ACI using Azure CLI Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using Azure CLI. *** ### Prerequisites

Item	Description
Apono Token	Account-specific Apono authentication value Use the following steps to obtain your token: On the Connectors page, click Install Connector. The Install Connector page appears. Click Cloud installation > Azure > Install and Connect Azure Account > CLI (Container Instance). Copy the token listed on the page in step 1.
Azure Cloud Command Line Interface (AZ CLI)	Tool that enables interacting with Azure services using your command-line shell
Azure Cloud Information	Information for your Azure Cloud instance: Subscription ID Management Group Name Resource group name
Owner Role (Azure RBAC)	Azure role with the following permissions: Grants full access to manage all resources Assigns roles in Azure RBAC
Global Administrator	The user following this guide should have an Microsoft Entra role with the following permission: Manages all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities ❗Apono does not require Global Administrator access. This is required for the admin following this guide. ❗

*** ### Install a new connector You can install a connector for an Azure **Management Group** or **Subscription.** {% hint style="info" %} The connector requires the following roles: 1. Directory Readers - to validate users in Azure 2. User Access Administrator - to provision and de-provision access in the Management Group Read more about these Microsoft Entra ID roles [here](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers). {% endhint %} {% tabs %} {% tab title="Management Group" %} Follow these steps to install a new connector: 1. At the shell prompt, set the environment variables. ```bash export APONO_CONNECTOR_ID= export APONO_TOKEN= export SUBSCRIPTION_ID= export RESOURCE_GROUP_NAME= export MANAGEMENT_GROUP_NAME= ``` 2. Log in to your Azure account. ```bash az login ``` 3. Set the `REGION` environment variable. {% code overflow="wrap" %} ```bash export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv) ``` {% endcode %} 4. Run the following command to deploy the connector on your ACI. {% code overflow="wrap" %} ```bash export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.7.9 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 2 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv) ``` {% endcode %} 5. Add the **User Access Administrator** role to the connector in the management group scope. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME ``` {% endcode %} 6. If your Azure resources have [resource locks](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources) applied, assign the **Tag Contributor** role to the connector at the management scope. This allows Apono to add a tag marker during the grant or revoke process. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "Tag Contributor" --scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME ``` {% endcode %} 7. For Azure AD, add the **Directory Readers** role to the connector. For Azure AD Groups, add the **Groups Administrator** and **Privileged Role Administrator** roles. {% tabs %} {% tab title="Azure AD" %} {% code overflow="wrap" %} ```bash az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% tab title="Azure AD Groups" %} {% code overflow="wrap" %} ```bash # First role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}' # Second role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% endtabs %} 8. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been updated. You can now integrate with an [Azure Management Group or Azure Subscription](/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions.md). {% endtab %} {% tab title="Subscription" %} Follow these steps to install a new connector: 1. At the shell prompt, set the environment variables. ```bash export APONO_CONNECTOR_ID= export APONO_TOKEN= export SUBSCRIPTION_ID= export RESOURCE_GROUP_NAME= ``` 2. Log in to your Azure account. ```sh az login ``` 3. Set the `REGION` environment variable. {% code overflow="wrap" %} ```bash export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv) ``` {% endcode %} 4. Run the following command to deploy the connector on your ACI. {% code overflow="wrap" %} ```bash export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.7.9 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 2 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv) ``` {% endcode %} 5. Add the **User Access Administrator** role to the connector in the subscription scope. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID ``` {% endcode %} 6. If your Azure resources have [resource locks](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources) applied, assign the **Tag Contributor** role to the connector at the subscription scope. This allows Apono to add a tag marker during the grant or revoke process. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "Tag Contributor" --scope /subscriptions/$SUBSCRIPTION_ID ``` {% endcode %} 7. For Azure AD, add the **Director Readers** role to the connector. For Azure AD Groups, add the **Groups Administrator** and **Privileged Role Administrator** roles. {% tabs %} {% tab title="Azure AD" %} {% code overflow="wrap" %} ```bash az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% tab title="Azure AD Groups" %} {% code overflow="wrap" %} ```bash # First role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}' # Second role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% endtabs %} 8. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been updated. You can now create integrate with an [Azure Management Group or Azure Subscription](/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions.md). {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apono.io/docs/azure-environment/apono-connector-for-azure/install-azure-connector-on-aci-using-azure-cli.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.