You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft Assent (*a.k.a Approvals*) as a platform provides the “one stop shop” solution for approvers via a model that brings together disparate different approval requests in a consistent and ultra-modern model. Approvals delivers a unified approvals experience for any approval on multiple form factors - Website, Outlook Actionable email, Teams. It consolidates approvals across organization's line of business applications, building on modern technology and powered by Microsoft Azure. It serves as a showcase for solving modern IT scenarios using the latest technologies.
4
-
- Payload API - Accepts payload from tenant system.
5
-
- Audit Agent Processor - Logs the payload data into Cosmos db.
6
-
- Primary Processor - Processes the payload pushed by payload API to service bus.
7
-
- Notification Processor - Sends email notifications to Approvers/ Submitters.
8
-
- Core API - Set of Web APIs to support the Approvals UI.
3
+
Microsoft Assent (*a.k.a Approvals*) as a platform provides the "one stop shop" solution for approvers via a model that brings together disparate different approval requests in a consistent and ultra-modern model. Approvals delivers a unified approvals experience for any approval on multiple form factors - Website, Outlook Actionable email, Teams. It consolidates approvals across organization's line of business applications, building on modern technology and powered by Microsoft Azure. It serves as a showcase for solving modern IT scenarios using the latest technologies.
4
+
- Payload Receiver Service API - Accepts payload from tenant system.
5
+
- Audit Processor - Azure Function that logs the payload data into Azure Cosmos DB.
6
+
- Primary Processor - Azure Function that processes the payload pushed by payload receiver service API to service bus.
7
+
- Notification Processor - Azure Function that sends email notifications to Approvers/ Submitters as per configurations.
8
+
- WatchdogProcessor - as per configurations from tenant sends reminder email notifications to Approvers for pending approvals as per configurations from tenant.
9
+
- Core Services API - Set of Web APIs to support the Approvals UI.
9
10
10
11
## Getting Started
11
12
@@ -47,13 +48,13 @@ Step 3: Select 'Build your own template in the editor' and paste the content of
47
48
48
49
```
49
50
Step 4: Save and go the next step. Select the subscription, resource group & location.
50
-
Update the settings to update any of the parameter values if required and click on purchase
51
+
Update the settings to update any of the parameter values if required and click on purchase
51
52
52
53
Note : If there is any failure, try re-deploying again before proceeding for any troubleshooting.
53
54
```
54
55
55
56
## Clean-up
56
-
It might have happened that some of the resources which got created may be already present in your subscription.
57
+
It might have happened that some of the resources which got created may be already present in your subscription.
57
58
In that case, you can continue to use the same and delete the newly created resources. (e.g. Storage Account, Application Insights, ServiceBus - In case of ServiceBus make sure to create the Topics in your exisiting ServiceBus namespace before deleting).
58
59
59
60
The following table will help in deciding which components can be cleaned-up.
@@ -90,7 +91,6 @@ Step 1: Download the configuration file (AppCofiguration.json) from the samples
90
91
```
91
92
Step 2: Add/update the values for the following keys in the JSON
92
93
```
93
-
94
94
| Key Name | Source | In KeyVault ? |
95
95
|--------|------|--------|
96
96
| AADTenantId | Azure Active Directory (AAD) Tenant ID | No |
@@ -127,21 +127,21 @@ Step 2: Add/update the values for the following keys in the JSON
127
127
| UrlPlaceholderTenants |[Optional] Int32 identifiers for simulating LoB apps in self-server portal | No |
128
128
129
129
```
130
-
Step 3: Go to the App Configuration service on Azure Portal and select the resource
130
+
Step 3: Go to the App Configuration service on Azure Portal and select the resource
131
131
where the configuration needs to be imported.
132
132
```
133
133
```
134
134
Step 4: Go to 'Operations' -> 'Import/Export'
135
135
```
136
136
```
137
-
Step 5: Select 'Import' in the toggle button and
137
+
Step 5: Select 'Import' in the toggle button and
138
138
choose 'Configuration file' from the dropdown 'Source service'.
139
139
```
140
-
```
140
+
```
141
141
Step 6: In the 'For language' drop down select 'Other'
142
142
```
143
143
```
144
-
Step 7: Choose 'Json' as the value from the 'File type' dropdown and
144
+
Step 7: Choose 'Json' as the value from the 'File type' dropdown and
145
145
select the 'AppConfiguration.json' updated in the previous step file from the File Explorer.
146
146
```
147
147
```
@@ -154,19 +154,19 @@ Select the 'Label' under which the configurations needs to be added (e.g., DEV)
154
154
* For the Function Apps add/update the below AppSetting keys:
155
155
> APPINSIGHTS_INSTRUMENTATIONKEY
156
156
> > This is an instrumentation key of Application Insights which was created from ARM Template.
157
-
>
158
-
> AzureAppConfiguration
159
-
> > This would be Key vault Reference to Azure App Configuration's connection string.
157
+
>
158
+
> AzureAppConfigurationUrl
159
+
> > This would be Azure App Configuration's endpoint URL.
160
160
>
161
161
> AppConfigurationLabel
162
162
> > This would be Azure App Configuration's label value corresponding to the environment the App service is running for.
163
163
>
164
164
> AzureWebJobsStorage
165
165
> > This would be Key vault Reference to storage account's connection string.
166
-
>
166
+
>
167
167
> AzureWebJobsDashboard
168
168
> > This would be Key vault Reference to storage account's connection string.
169
-
>
169
+
>
170
170
> ComponentName
171
171
> > Name of the component which could be name of the component like *ApprovalsPrimaryProcessor or ApprovalsNotificationProcessor*.
172
172
>
@@ -181,36 +181,87 @@ Select the 'Label' under which the configurations needs to be added (e.g., DEV)
181
181
> APPINSIGHTS_INSTRUMENTATIONKEY
182
182
> > This is an instrumentation key of Application Insights which was created from ARM Template.
183
183
>
184
-
> AzureAppConfiguration
185
-
> > This would be Key vault Reference to Azure App Configuration's connection string.
184
+
> AzureAppConfigurationUrl
185
+
> > This would be Azure App Configuration's endpoint URL.
186
186
>
187
187
> AppConfigurationLabel
188
188
> > This would be Azure App Configuration's label value corresponding to the environment the App service is running for.
189
-
>
189
+
>
190
190
> ComponentName
191
191
> > Name of the component which could be name of the component like *ApprovalsCoreServicesAPI or ApprovalsPayloadServiceAPI*.
192
192
>
193
193
> ValidAppIds
194
194
> > This is AzureAD App's ClientIds which are authorized to access this component (; separated).
195
-
>
195
+
>
196
196
```
197
197
Note: The connection string should be the KeyVault url
198
198
i.e. Enter the value in this format: @Microsoft.KeyVault(SecretUri=<keyvault Secret Identifier url for AzureAppConfigurationConnectionString>)
199
199
```
200
200
#### Setup Authentication/Access Permission
201
-
* For all the System assinged Managed Identity created earlier assign the following roles to the Azure Storage Account
202
-
> Storage Blob Data Contributor
203
-
201
+
204
202
* Setup Authentication for APIs and Function Apps
205
-
* Update the Reply Urls section of the AzureAD App created earlier with the URLs of the App Services and FunctionApps (HttpTriggered) URLs suffixed with '/auth/login/aad/callback'
203
+
* Update the Reply Urls section of the AzureAD App created earlier with the URLs of the App Services and FunctionApps (HttpTriggered) URLs suffixed with '/auth/login/aad/callback'
206
204
* In the 'Authentication' section of the AppServices / FunctionApps (HttpTriggered),
207
205
* Add or update the Authentication values (ClientId/Secret/Issuer/Audience)
208
206
* Select 'Login with Azure Active Directory' for the option 'Action to take when the request is not authenticated'
209
207
208
+
* Permissions needed needed for System assigned Managed Identity of below Azure Components
209
+
* Payload Receiver Service API:
210
+
* App Configuration Data Reader
211
+
* Azure Service Bus Data Sender
212
+
* Cosmos DB Built-in Data Contributor
213
+
* Key Vault Secrets User
214
+
* Storage Blob Data Contributor
215
+
* Storage Table Data Contributor
216
+
217
+
* Audit Processor:
218
+
* App Configuration Data Reader
219
+
* Azure Service Bus Data Owner
220
+
* Cosmos DB Built-in Data Contributor
221
+
* Key Vault Secrets User
222
+
* Storage Blob Data Contributor
223
+
* Storage Table Data Contributor
224
+
225
+
* Primary Processor:
226
+
* App Configuration Data Reader
227
+
* Azure Service Bus Data Owner
228
+
* Cosmos DB Built-in Data Contributor
229
+
* Key Vault Secrets User
230
+
* Storage Blob Data Contributor
231
+
* Storage Table Data Contributor
232
+
233
+
* Notification Processor:
234
+
* App Configuration Data Reader
235
+
* Azure Service Bus Data Owner
236
+
* Cosmos DB Built-in Data Contributor
237
+
* Key Vault Secrets User
238
+
* Storage Blob Data Contributor
239
+
* Storage Table Data Contributor
240
+
241
+
* Watchdog Processor:
242
+
* App Configuration Data Reader
243
+
* Cosmos DB Built-in Data Contributor
244
+
* Key Vault Secrets User
245
+
* Storage Blob Data Contributor
246
+
* Storage Table Data Contributor
247
+
248
+
* Core Services API:
249
+
* App Configuration Data Reader
250
+
* Cosmos DB Built-in Data Contributor
251
+
* Key Vault Secrets User
252
+
* Storage Blob Data Contributor
253
+
* Storage Table Data Contributor
254
+
255
+
*Note: As of today only way to assign Cosmos DB Built-in Data Contributor is via the PowerShell or az cli below is the command fot the same:*
256
+
```
257
+
az cosmosdb sql role assignment create --account-name "Cosmosdb account name" --resource-group "Name of resource group where cosmosdb exists" --scope "/" --principal-id "System assigned identity to to which this Role Assignment is being granted" --role-definition-id "00000000-0000-0000-0000-000000000002"
258
+
```
259
+
For more information please read: [Configure role-based access control for your Azure Cosmos DB account with Azure AD | Microsoft Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac)
260
+
210
261
## Deploy
211
262
Deploy the code in these new components using Azure DevOps (Build and Release pipelines)
212
263
213
-
The deployment might fail sometimes due to locked files. Try restarting the service, before redeploying.
264
+
The deployment might fail sometimes due to locked files. Try restarting the service, before redeploying.
214
265
If the issue persists, add the following AppSettings in the service configuration
215
266
```
216
267
"MSDEPLOY_RENAME_LOCKED_FILES": "1"
@@ -240,8 +291,8 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio
240
291
241
292
## Trademarks
242
293
243
-
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
244
-
trademarks or logos is subject to and must follow
294
+
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
0 commit comments