# Install an Azure connector on ACI using Azure CLI Azure Container Instances (ACI) is a managed, serverless compute platform for running containerized applications. This guide explains how to install and configure an Apono connector on ACI in your Azure environment using Azure CLI. *** ### Prerequisites

Item	Description
Apono Token	Account-specific Apono authentication value Use the following steps to obtain your token: On the Connectors page, click Install Connector. The Install Connector page appears. Click Cloud installation > Azure > Install and Connect Azure Account > CLI (Container Instance). Copy the token listed on the page in step 1.
Azure Cloud Command Line Interface (AZ CLI)	Tool that enables interacting with Azure services using your command-line shell
Azure Cloud Information	Information for your Azure Cloud instance: Subscription ID Management Group Name Resource group name
Owner Role (Azure RBAC)	Azure role with the following permissions: Grants full access to manage all resources Assigns roles in Azure RBAC
Global Administrator	The user following this guide should have an Microsoft Entra role with the following permission: Manages all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities ❗Apono does not require Global Administrator access. This is required for the admin following this guide. ❗

*** ### Install a new connector You can install a connector for an Azure **Management Group** or **Subscription.** {% hint style="info" %} The connector requires the following roles: 1. Directory Readers - to validate users in Azure 2. User Access Administrator - to provision and de-provision access in the Management Group Read more about these Microsoft Entra ID roles [here](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers). {% endhint %} {% tabs %} {% tab title="Management Group" %} Follow these steps to install a new connector: 1. At the shell prompt, set the environment variables. ```bash export APONO_CONNECTOR_ID= export APONO_TOKEN= export SUBSCRIPTION_ID= export RESOURCE_GROUP_NAME= export MANAGEMENT_GROUP_NAME= ``` 2. Log in to your Azure account. ```bash az login ``` 3. Set the `REGION` environment variable. {% code overflow="wrap" %} ```bash export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv) ``` {% endcode %} 4. Run the following command to deploy the connector on your ACI. {% code overflow="wrap" %} ```bash export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.7.8 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 2 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv) ``` {% endcode %} 5. Add the **User Access Administrator** role to the connector in the management group scope. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME ``` {% endcode %} 6. If your Azure resources have [resource locks](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources) applied, assign the **Tag Contributor** role to the connector at the management scope. This allows Apono to add a tag marker during the grant or revoke process. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "Tag Contributor" --scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME ``` {% endcode %} 7. For Azure AD, add the **Directory Readers** role to the connector. For Azure AD Groups, add the **Groups Administrator** and **Privileged Role Administrator** roles. {% tabs %} {% tab title="Azure AD" %} {% code overflow="wrap" %} ```bash az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% tab title="Azure AD Groups" %} {% code overflow="wrap" %} ```bash # First role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}' # Second role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% endtabs %} 8. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been updated. You can now integrate with an [Azure Management Group or Azure Subscription](https://docs.apono.io/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions). {% endtab %} {% tab title="Subscription" %} Follow these steps to install a new connector: 1. At the shell prompt, set the environment variables. ```bash export APONO_CONNECTOR_ID= export APONO_TOKEN= export SUBSCRIPTION_ID= export RESOURCE_GROUP_NAME= ``` 2. Log in to your Azure account. ```sh az login ``` 3. Set the `REGION` environment variable. {% code overflow="wrap" %} ```bash export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv) ``` {% endcode %} 4. Run the following command to deploy the connector on your ACI. {% code overflow="wrap" %} ```bash export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.7.6 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 2 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv) ``` {% endcode %} 5. Add the **User Access Administrator** role to the connector in the subscription scope. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID ``` {% endcode %} 6. If your Azure resources have [resource locks](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources) applied, assign the **Tag Contributor** role to the connector at the subscription scope. This allows Apono to add a tag marker during the grant or revoke process. {% code overflow="wrap" %} ```bash az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "Tag Contributor" --scope /subscriptions/$SUBSCRIPTION_ID ``` {% endcode %} 7. For Azure AD, add the **Director Readers** role to the connector. For Azure AD Groups, add the **Groups Administrator** and **Privileged Role Administrator** roles. {% tabs %} {% tab title="Azure AD" %} {% code overflow="wrap" %} ```bash az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% tab title="Azure AD Groups" %} {% code overflow="wrap" %} ```bash # First role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c", "directoryScopeId": "/"}' # Second role assignment az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "e8611ab8-c189-46e8-94e1-60213ab1f814", "directoryScopeId": "/"}' ``` {% endcode %} {% endtab %} {% endtabs %} 8. On the [**Connectors**](https://app.apono.io/connectors) page, verify that the connector has been updated. You can now create integrate with an [Azure Management Group or Azure Subscription](https://docs.apono.io/docs/azure-environment/azure-integrations/integrate-with-azure-management-groups-or-subscriptions). {% endtab %} {% endtabs %}