Install Azure connector on ACI using PowerShell
The remainder of this guide focuses on installing and configuring the Azure Apono connector on ACI in your Azure environment using PowerShell.
Before you begin
You must satisfy the Apono connector for Azure requirements to complete this tutorial.
Installation Steps
In The Terminal
Export the following environment variables.
APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
APONO_TOKEN=<APONO_TOKEN>
SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
MANAGEMENT_GROUP_NAME=<AZURE_MANAGEMENT_GROUP_NAME>
Export REGION
environment variable.
$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
Run the following command to deploy the connector on your ACI.
$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP
$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID
$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN
$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"
$jsonValue = @{
cloud_provider = "AZURE"
subscription_id = $SUBSCRIPTION_ID
resource_group = $RESOURCE_GROUP_NAME
region = $REGION
is_azure_admin = $true
} | ConvertTo-Json -Compress
$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue
$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.6.7 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5
$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)
$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
Add the User Access Administrator role to the connector in the subscription scope.
New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /providers/Microsoft.Management/managementGroups/$MANAGEMENT_GROUP_NAME
For Azure AD, add the Director Readers role to the connector.
$payload = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
# First role assignment
$payload1 = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1
# Second role assignment
$payload2 = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2
On the Connectors page, verify that the connector has been updated.
Export the following environment variables.
APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
APONO_TOKEN=<APONO_TOKEN>
SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
Export REGION
environment variable.
$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
Run the following command to deploy the connector on your ACI.
$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP
$env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID
$env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN
$env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io"
$jsonValue = @{
cloud_provider = "AZURE"
subscription_id = $SUBSCRIPTION_ID
resource_group = $RESOURCE_GROUP_NAME
region = $REGION
is_azure_admin = $true
} | ConvertTo-Json -Compress
$env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue
$container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.6.7 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5
$imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force)
$PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
Add the User Access Administrator role to the connector in the subscription scope.
New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID
For Azure AD, add the Director Readers role to the connector.
$payload = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
For Azure AD Groups, add the Groups Administrator and Privileged Role Administrator roles.
# First role assignment
$payload1 = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "fdd7a751-b60b-444a-984c-02652fe8fa1c"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload1
# Second role assignment
$payload2 = @{
principalId = $PRINCIPAL_ID
roleDefinitionId = "e8611ab8-c189-46e8-94e1-60213ab1f814"
directoryScopeId = "/"
} | ConvertTo-Json -Depth 3
Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload2
On the Connectors page, verify that the connector has been updated.
Next Steps
PowerShell