Starting with OfficeExpert 4.3.x , panagenda deploys and manages additional components in the customer's Azure tenant and therefore act as a service provider. This is completely done with Azure Lighthouse.

Customers need to execute an Azure Lighthouse template so that panagenda gets dedicated access on Resource Group level.

Note: These azure resources are needed in combination with the OfficeExpert appliance (the Appliance itself can run anywhere, On-Premises or Azure )

Important: if you have the need of setting up Azure Lighthouse in a different tenant which is not equal the tenant from where OfficeExpert gets the M365 data, please contact support@panagenda.com


Table of Contents



What pieces will be deployed?

Following resources are part of the deployment


Deployment Prerequisites

Please make sure that the following Resource providers are registered in the Subscription you use.

Resource Providers
Microsoft.Insights
Microsoft.ContainerInstance
Microsoft.EventHub
Microsoft.Web
Microsoft.KeyVault
Microsoft.OperationalInsights
Microsoft.ManagedIdentity
Microsoft.Storage


1) Azure Lighthouse

An Owner of the Subscription (Owner via RBAC) has to perform the following steps in order to get the Azure Lighthouse template deployed.
This will connect panagenda with the specified azure resource group of the customers tenant (Note: panagenda gets Contributor access for the entire Resource Group) !

1) Request the template files from panagenda (support@panagenda.com)
2) Create a Resource Group manually (default:  panagenda-azure-lighthouse)
3) Open Azure CLI as an Owner of the subscription
4) Upload the template files via Azure CLI
5) Switch to PowerShell
6) Execute the following command to make sure that the correct SubId is in context
Set-AzContext -Subscription {ID}

7)
# If a Resource Group is used. Adjust the Location and RG parameters depending to your needs 
New-AzSubscriptionDeployment -TemplateFile panagenda-azure-lighthouse-rg.json -TemplateParameterFile panagenda-azure-lighthouse.parameters.json -rgName panagenda-azure-lighthouse -Location WestEurope




2) Graph API Subscription App Registration

A second Azure AD App registration in the customer tenants needs to be added (beside of the one which is being used by the OfficeExpert appliance).

This is a simple single tenant application with all the default settings

1)Create Azure AD App registration -- Name: OfficeExpert Graph API Subscriptions
2)Choose Single Tenant and keep all default settings
3)Open the new registered application and create a client secret (Certificate & secrets)
4)Open the manifest and add the following resource access configuration

"requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "b0afded3-3588-46d8-8b3d-9842eff778da",
                    "type": "Role"
                },
                {
                    "id": "7b2449af-6ccd-4f4d-9f78-e550c193f0d1",
                    "type": "Role"
                },
                {
                    "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
                    "type": "Role"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
                    "type": "Role"
                }
            ]
        }
    ],

5) Give Admin consent to all the added permissions


This should be the final result:




3) Microsoft Graph Change Tracking Object Id

The Graph Change Tracking Object Id is needed to finalize the deployment.

Open the Azure Portal / Azure AD / Enterprise Application and search for Microsoft Graph Change Tracking




4) Deployment Information - please provide this to panagenda

Make sure that the OfficeExpert appliance is fully deployed and up and running.

If so, please share the following information with panagenda so that all componentes can be deployed via Azure Lighthouse into your tenant.

Please download the following table as XLSX : https://files.panagenda.com/OfficeExpert/AzureLightHouse/panagenda-azure-light-house.xlsx

ItemValue

Tenant Id of the targeted Microsoft 365 tenant // Azure Tenant


e.g xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Primary Domain name of the tenant. Please verifiy this on your Azure AD properties page


e.g. acme.onmicrosoft.com

Azure AD App ID of "OfficeExpert Graph API Subscriptions"



Client secret of "OfficeExpert Graph API Subscriptions"



Azure AD App Enterprise Object ID of the App "panagenda OE Appliance". (Enterprise applications)

Note: This app gets created during the setup of your OfficeExpert appliance

Example:



Microsoft Graph Change Tracking Object Id




Azure Location where the components should be deployed


e.g. eastus; westeurope;....

Resource Group Name where the components should be deployed


default: panagenda-azure-lighthouse

Subscription Id where the components should be deployed



Subscription name where the components should be deployed