How to deploy Dashboard Server Azure Edition from the Azure Marketplace
Which installation method should I choose?
There are several options for installing Dashboard Server Azure Edition:
Deployment via the Azure Marketplace
Installation via the installer
The easiest way to install Dashboard Server Azure Edition is via the Azure Marketplace.
Use the installer if you don't want to use the Marketplace (for example, because you want to install Dashboard Server Azure Edition on an existing Azure virtual machine, a VM outside of the tenant you're connecting to, on a non-Azure machine, or because of security factors).
For step-by-step information about installingDashboard Server Azure Edition using the downloadable installer please see How to install Dashboard Server Azure Edition using the installer.
What you need
- An Azure Active Directory global admin account, or account that can deploy applications to Azure Active Directory (AD).
Where to deploy
- The Marketplace deployment will create a Windows virtual machine with the minimum requirements and lead you through the configuration process.
- The location of the SquaredUp server has no bearing on the Azure resources you will be able to see and dashboard in Dashboard Server. You will be able to select the relevant Azure tenant during the setup process.
What we create
- A virtual machine in your Azure tenant, running our web application and IIS, with a small data disk and a public IP address.
- A read-only Azure application in your Azure AD that will populate your dashboards by querying Azure APIs
- Dashboard Server has a number of prerequisites that will be automatically installed by the setup process (e.g. the IIS Web Server role)
The installer makes some changes to Azure Active Directory to give Dashboard Server permission to access the Graph API. These steps occur automatically. To read about what modifications are made during setup and why please see Reference - Azure Active Directory modifications
Azure Marketplace
Browse to the Azure Marketplace using
this link to deploy Dashboard Server.A 30 day trial key will automatically be sent to the account with which you are logged in to the Azure portal. This license key will be used during the Dashboard Server setup wizard later. If you do not receive a license key please contact SquaredUp Support. If you have not already signed in, sign in with an Azure Active Directory
global admin account, or account that can deploy applications to Azure AD.Click on the Get it now button.
Enter your contact details and click Continue.
Click the Create button.
Select the Subscription you wish to use.
Select an existing Resource Group, or create a new one.
Select a suitable region, close to where most of the Dashboard Server users will be located.
Accept the suggested virtual machine name or rename if you prefer.
Windows computer names cannot be more than 15 characters long in Azure, or contain special characters other than "-".
The default virtual machine size suggested is based on a small test environment. If you are deploying for production use please select the appropriate virtual machine size required. See Server Spec and Sizing
Click the Next button to move on to Administration.
Here you need to enter details to create a new administrator account for the new Windows VM. You will not need this to use Dashboard Server, but you will need it later to access the new VM, for example to update Dashboard Server or view diagnostics logs.
Click the Next button to move on to Networking.
A public IP address is required and will be created automatically with the suggested label. Enter a domain name label for this virtual machine. This is the URL you will use to access Dashboard Server for the first time.
Click the Next button to move on to SSL.
HTTPS is required to login to Dashboard Server using Azure Active Directory. . For HTTPS you can either use a self-signed certificate, which may cause a browser warning that the website is insecure and users will need to explicitly agree to proceed, or you can use a Let's Encrypt® certificate.Using a Let's Encrypt certificate stops a browser warning appearing to users.
If you choose to use a Let's Encrypt certificate then you need to provide an email address and agree to terms of service. The email is used to contact you if there is a problem with the renewal of the certificate. The Let's Encrypt certificate is valid for 90 days, but it will renew automatically every 55 days, as long as it is accessible through port 80, as that is how the http challenge is conducted.
To install the Let's Encrypt certificate a self-signed certificate is temporarily installed, so a browser warning may appear in the first 2 minutes before the Let's Encrypt certificate is applied.
Click the Next button to move on to Tags. It can be useful to tag resources now, or you can do this later in the Azure console.
Click the Next button to move on to Configuration. Click on the URL displayed, which will open a new tab. The resource cannot be reached straight away because it hasn't been created yet, but once it has been created following this Marketplace deployment you will need to go to this address to complete the Dashboard Server setup process.
Click the Next button to move on to Review + create.
Check the details and click the Create button to agree to the terms and create the virtual machine.
You will see a message that the deployment is underway. This may take a few minutes.
Logon to Dashboard Server Azure Edition for the first time
Browse to the VM you created by using the new tab you opened from the Marketplace link.
Alternatively, browse to https://DNSName
. You can find the DNS name by browsing to the VM in the Azure portal, click the Go to resource button and copy the name of the virtual machine.
If you are using a self-signed SSL certificate so you will see a browser warning and will need to explicitly agree to proceed. In Chrome this is done by clicking Advanced.
Before you can get started, Dashboard Server has to complete some final configuration of your environment, which includes activating your license
Dashboard Server setup wizard
If you are not able to log in with an account that is an Azure Active Directory global admin account, or an account that can deploy applications to Azure Active Directory (AD), you will not be able to complete the setup wizard. You can ask a global admin user to run the wizard or to follow the article: How to manually configure Dashboard Server Azure Edition.
Browse to Dashboard Server Azure Edition and the Dashboard Server setup wizard will appear.
On the Azure AD screen click the Setup button to configure the Azure Active Directory.
Next we need to add the Dashboard Server setup application to Azure AD. This application is created using the Microsoft device login process and impersonates the current user.
Information about the Dashboard Server Setup enterprise application in Azure Active Directory (AAD)During the setup process you will be prompted to grant permissions to Dashboard ServerAzure Setup to use permissions from your Azure and Microsoft accounts.
Explanation
In order to access Azure data and authenticate users, your SquaredUp server will need its own unique AD application specific to your Azure tenant.
The Dashboard Server Azure Setup application obtains the permissions necessary to automatically create such an AD application:
- The Azure Setup AD application is added to your Azure tenant
- The setup wizard uses the application's permissions to create a new AD application unique to your SquaredUp server
- The SquaredUp server uses its unique AD application to access Azure data and perform user authentication
Permissions requested
This setup application requests the following permissions from whomever logs into their Microsoft account during the setup process:
- Access to the directory as the current user
- Impersonation of the current user to access Azure service management
- Sign in and read the profile of the current user
These are the permissions required to create a subsequent AD application for the SquaredUp server.
Granting consent for your organization is unnecessary unless you want to set up multiple SquaredUp servers.
Permission removal
Once Dashboard Server has been set up, you are free to delete this application ("Dashboard Server for Azure Setup") from your directory by using the Azure portal.
In the portal this application is typically visible in the "Enterprise Applications" blade.
This application is only used to setup Dashboard Server and does not affect its operation. It ceases to have any permissions within your tenant as soon as it is removed.
You will see the message Awaiting authorization... and should follow the steps as described below.
Click the copy link to copy the authorization code.
- Click on the URL on the screen (in step two) which opens the address in a new tab.
Paste in the copied code and click next.
On the Microsoft Sign in or Pick an account screen login with the Azure AD admin account you wish to use to deploy the Dashboard Server setup application.
You may need to ask a global admin user to run the wizard or to follow the article: How to manually configure Dashboard Server Azure Edition.
or
You should see a message confirming that you have signed in to the Dashboard Server Azure Edition Setup application. Close this tab.
Return to the tab showing the Dashboard Server setup screen. After a few seconds it should say that Dashboard Server is correctly configured for Azure AD Authentication.
You will see the message 'Starting...' and then a Microsoft screen Permissions requested.
Tip: Copy the name of the SquaredUp Enterprise Application with its GUID and save it for later use. If you have several Dashboard Server instances it may be useful later to paste this in to the Azure portal when configuring Open Access or making users Dashboard Server administrators.A privileged user will see a checkbox to 'Consent on behalf of your organization'. Enabling this will grant these permissions for all users and disable this dialog for future first time logins.
Information about the SquaredUp Enterprise Application in Azure Active Directory (AAD)The setup application creates an enterprise application specific to your current server. If you deployed via Marketplace the application is named in the form
SquaredUpAzure on <hostname>
. If you used the installer the application is named in the formSquaredUpAzure<GUID>
.This is the application that the Dashboard Server web application uses to authenticate users. Each user that logs into Dashboard Server shares the following permissions with the SquaredUp server:
- Impersonation of the current user to access Azure service management
- Reading all directory data
- Reading all groups
- Sign in and read the profile of the current user
- Read all user's basic profiles
All of these permissions are delegated: Dashboard Server cannot make use of them if the signed in user does not already have them.
Let's Encrypt is a trademark of the Internet Security Research Group. All rights reserved.
- Click Accept to allow Dashboard Server to access Azure as you.
You will be returned to the Dashboard Server setup wizard at the Activation screen.
You will have received your activation key by email following your purchase or free trial. Paste this key in now, and click Activate. If you have not received a license key please contact SquaredUp Support.
Click Import to install the default dashboards and perspectives.
Dashboard Server Azure Edition will then open.
The newly-created Dashboard Server Azure enterprise application will now need to be modified in order to assign the "Dashboard ServerAdministrator" role to the relevant users (or groups) that will administer Dashboard Server, see How to make a user a Dashboard Server administrator. If this is not completed then only the account that deployed Dashboard Server will be able to manage Dashboard Server.
Next steps
- Take a look at the Dashboard Server v5 playlist on YouTube.
- Manage which users can access Dashboard Server: How to manage Named Users
- Set up a Dashboard Server administrator(s). To manage Dashboard Server you will need to be a Dashboard Server administrator, see How to make a user a Dashboard Server administrator
- Give dashboard authors permission to create dashboards. A Dashboard Server administrator will need to give users or groups author permission to a Team Folder, within which they can create and edit dashboards. See Team Folders
- Get access to your API data: How to add a Web API provider
- Configure Open Access dashboards. Open Access enables easy sharing of dashboards, that do not require authentication to view. See Sharing Dashboards with anyone - Open Access
- Create your first dashboard: How to create a dashboard
Troubleshooting Dashboard Server deployment
Symptoms
You are using multi-factor authentication (MFA) and users see this error when trying to log in to Dashboard Server:
HTTP Error 500 (Static)
"This error is triggered by ASP.NET and likely indicated a configuration problem rather than a runtime error in SquaredUp itself"
Procedure
This error can be caused by using multi-factor authentication (MFA) for the Microsoft Azure Management application.
The solution is to create a similar Conditional Access policy requiring multi-factor authentication for the SquaredUpAzure enterprise application (or, if preferred, to add the SquaredUpAzure enterprise application to the existing Microsoft Azure Management MFA Conditional Access policy).
For more information see Microsoft Create a Conditional Access Policy
Submit a request
If configuration fails, a large volume of diagnostic text will be produced, followed by a red failure message. If you experience this, please submit a request and we can help diagnose the cause.
Note that the diagnostic text may reveal sensitive details - such as your username, installed AD applications and IDs. Please be conscious of this when sending us details - for example, it is not appropriate to send us this text over email.
Reference - Azure Active Directory modifications
This reference section specifies what modifications are made during setup and why. These steps occur automatically.
Dashboard Server Setup enterprise application in Azure Active Directory (AAD)
During the setup process you will be prompted to grant permissions to Dashboard ServerAzure Setup to use permissions from your Azure and Microsoft accounts.
Explanation
In order to access Azure data and authenticate users, your SquaredUp server will need its own unique AD application specific to your Azure tenant.
The Dashboard Server Azure Setup application obtains the permissions necessary to automatically create such an AD application:
- The Azure Setup AD application is added to your Azure tenant
- The setup wizard uses the application's permissions to create a new AD application unique to your SquaredUp server
- The SquaredUp server uses its unique AD application to access Azure data and perform user authentication
Permissions requested
This setup application requests the following permissions from whomever logs into their Microsoft account during the setup process:
- Access to the directory as the current user
- Impersonation of the current user to access Azure service management
- Sign in and read the profile of the current user
These are the permissions required to create a subsequent AD application for the SquaredUp server.
Granting consent for your organization is unnecessary unless you want to set up multiple SquaredUp servers.
Permission removal
Once Dashboard Server has been set up, you are free to delete this application ("Dashboard Server for Azure Setup") from your directory by using the Azure portal.
In the portal this application is typically visible in the "Enterprise Applications" blade.
This application is only used to setup Dashboard Server and does not affect its operation. It ceases to have any permissions within your tenant as soon as it is removed.
SquaredUp Enterprise Application in Azure Active Directory (AAD)
The setup application creates an enterprise application specific to your current server. If you deployed via Marketplace the application is named in the form SquaredUpAzure on <hostname>
. If you used the installer the application is named in the form SquaredUpAzure<GUID>
.
This is the application that the Dashboard Server web application uses to authenticate users. Each user that logs into Dashboard Server shares the following permissions with the SquaredUp server:
- Impersonation of the current user to access Azure service management
- Reading all directory data
- Reading all groups
- Sign in and read the profile of the current user
- Read all user's basic profiles
All of these permissions are delegated: Dashboard Server cannot make use of them if the signed in user does not already have them.
Let's Encrypt is a trademark of the Internet Security Research Group. All rights reserved.