Starting with OfficeExpert 4.3.x , panagenda deploys and manages additional components in the customer's Azure tenant and therefore acts as a service provider. This is completely done with Azure Lighthouse.

Customers need to execute an Azure Lighthouse template so that panagenda gets dedicated access on Resource Group level.

These Azure resources are needed in combination with the OfficeExpert appliance (the appliance itself can run anywhere, on-premises or on Azure).
Important: if you need to set up Azure Lighthouse in a different tenant which is not equal to the tenant from where OfficeExpert gets the M365 data, please contact support@panagenda.com.


Table of Contents



What Pieces Will Be Deployed?

Following resources are part of the deployment

  • Key Vault
  • Function App (incl. App Service Plan - consumption based)
  • Event Hub
  • Storage Account
  • App Insights + Log Analytics


Deployment Prerequisites

Make sure the following resource providers are registered in the subscription you use.

Resource Providers
Microsoft.Insights
Microsoft.ContainerInstance
Microsoft.EventHub
Microsoft.Web
Microsoft.KeyVault
Microsoft.OperationalInsights
Microsoft.ManagedIdentity
Microsoft.Storage


1) Azure Lighthouse

A subscription owner (owner via RBAC) has to perform the following steps to deploy the Azure Lighthouse template.
This will connect panagenda to the specified Azure resource group of the customer's tenant.

panagenda gets contributor access for the entire resource group!
1) Request the template files from panagenda (support@panagenda.com)
2) Create a resource group manually (default: panagenda-azure-lighthouse)
3) Open Azure CLI as a subscription owner
4) Upload the template files via Azure CLI
5) Switch to PowerShell
6) Execute the following command to make sure the correct SubId is in context
Set-AzContext -Subscription {ID}

7)
# If a resource group is used, adjust the location and RG parameters depending on your needs 
New-AzSubscriptionDeployment -TemplateFile panagenda-azure-lighthouse-rg.json -TemplateParameterFile panagenda-azure-lighthouse.parameters.json -rgName panagenda-azure-lighthouse -Location WestEurope


2) Graph API Subscription App Registration

A second Azure AD App registration in the customer tenants needs to be added (in addition to the one being used by the OfficeExpert appliance).

This is a simple single tenant application with all the default settings.

1) Create Azure AD App registration -- Name: OfficeExpert Graph API Subscriptions
2) Choose Single Tenant and keep all default settings
3) Open the new registered application and create a client secret (Certificate & secrets)
4) Open the manifest and add the following resource access configuration

"requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                },
                {
                    "id": "7b2449af-6ccd-4f4d-9f78-e550c193f0d1",
                    "type": "Role"
                },
                {
                    "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
                    "type": "Role"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
                    "type": "Role"
                }
            ]
        }
    ],

5) Give admin consent to all the added permissions


This should be the final result:




3) Microsoft Graph Change Tracking Object ID

The Graph Change Tracking  Object ID is needed to finalize the deployment.

Open the Azure PortalAzure AD  > Enterprise Application and search for Microsoft Graph Change Tracking.




4) Deployment Information

Make sure the OfficeExpert appliance is fully deployed and up and running.

If it is, please share the following information with panagenda so that all components can be deployed via Azure Lighthouse to your tenant.

Please download the following .xlsx table: https://files.panagenda.com/OfficeExpert/AzureLightHouse/panagenda-azure-light-house.xlsx

ItemValue

Tenant Id of the targeted Microsoft 365 tenant // Azure Tenant


e.g xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Primary domain name of the tenant. Please verifiy this on your Azure AD properties page


e.g. acme.onmicrosoft.com

Azure AD App ID of "OfficeExpert Graph API Subscriptions"



Client secret of "OfficeExpert Graph API Subscriptions"



Azure AD App Enterprise Object ID of the App "panagenda OE Appliance". (Enterprise applications)

Note: this app is created during the setup of your OfficeExpert appliance.

Example:



Microsoft Graph Change Tracking Object Id




Azure Location where the components should be deployed


e.g. eastus; westeurope;....

Resource Group Name where the components should be deployed


default: panagenda-azure-lighthouse

Subscription Id where the components should be deployed



Subscription name where the components should be deployed



Contact Support

Visit panagenda OfficeExpert on our website!