DOCSPREREQUISITES

Prerequisites

Loading last updated info...

Prerequisites Checklist

Before starting the installation, ensure you have:

  • Azure Subscription with Owner permissions
  • Azure AD Tenant with Global Administrator or Application Administrator privileges
  • Azure OpenAI quota available in your subscription
  • *Custom domain and DNS zone in Azure (optional)

Register Azure resource providers

Before deploying EagleEye, make sure the following Azure resource providers are registered in your subscription:

  • Microsoft.Storage
  • Microsoft.ManagedIdentity
  • Microsoft.App
  • Microsoft.CognitiveServices
  • Microsoft.KeyVault
  • Microsoft.ContainerRegistry
  • Microsoft.Network
  • Microsoft.OperationalInsights
  • Microsoft.Insights
  • Microsoft.Sql
  • Microsoft.Authorization
  • Microsoft.Web
  • Microsoft.ContainerInstance

To check and register, follow the official Microsoft guide: Register resource providers in Azure Portal

Get Your Azure Tenant ID

You will need your Azure Tenant ID for configuration:

  1. Sign in to the Azure Portal
  2. In the search bar, type "Microsoft Entra ID" Manage Tenants
  3. Go to Manage Tenants and copy the Tenant ID (Organization ID) Tenant ID Tenant Object ID
Note: If you have multiple tenants, ensure you select the correct one for EagleEye deployment.

Get Your Azure Group Name

You will need an Azure group for EagleEye to perform email analysis. This can be either an existing Azure group or a new one you create.

To create a new group or find an existing one:

  1. Sign in to the Azure Portal
  2. In the search bar, type "Groups" Search Azure Groups
  3. Go to GroupsAll groups
  4. Either select an existing group or click New group to create one
  5. If creating a new group:
    • Follow this guide to create and configure a new group
    • Select Security as the Group type if you want to add other groups as members (nesting), otherwise select Microsoft 365
  6. Copy the Group name (you will need this for configuration later)

App Registration Guide

You need 3 Azure App Registrations for EagleEye:

  1. Engine App - SSW.EagleEye.Engine
  2. API App - SSW.EagleEye.Api
  3. Portal App - SSW.EagleEye.Portal
Tip: Create one app and its client secret at a time to avoid confusion.

By the end of this section, you should have 3 client secrets and 1 API scope URL ready for your EagleEye deployment.

Step 1: Create Each App Registration

For each of the 3 apps:

  1. Go to Azure PortalApp registrationsNew registration App Registration Search
  2. Enter the app name (e.g., SSW.EagleEye.Engine)
  3. Set Supported account types to: Accounts in this organizational directory only
  4. Click Register Engine App

Step 2: Create a Client Secret

Repeat these steps for each app:

  1. Go to Certificates & secrets
  2. Click New client secret
  3. Add a description (e.g., Engine Secret, API Secret, Portal Secret)
  4. Select an expiry period → Add Create Client Secret
  5. Copy the secret value immediately (you will need this later; it will never be shown again) Copy Client Secret
Warning: After deployment, remove the secret value from any temporary notes (clipboard, notepad, etc.). \Do not delete the secret from Azure
Remember to repeat Steps 1 & 2 for all 3 app registrations

App-Specific Configuration

These are the only extra settings required for each app registration.

Engine App - Configure API Permissions

App: SSW.EagleEye.Engine

  1. Go to App registrationsAll applications → search for SSW.EagleEye.Engine Search Existing App
  2. Go to ManageAPI permissionsAdd a permission
  3. Select Microsoft GraphApplication permissions (Important: select Application permissions - not Delegated).
  4. Add:
    • GroupMember.Read.All
    • Mail.Read
    • User.Read.All
    • Domain.Read.All
  5. Click Add permissions
  6. Click Grant admin consent App Api Permissions

API App - Expose a Scope

App: SSW.EagleEye.Api

This exposes the API so the Portal can call it.

  1. Go to App registrationsAll applications → search for SSW.EagleEye.Api
  2. Go to Expose an APIAdd a scope
  3. Accept the default Application ID URI (or customise) → Save and continue Expose a scope
  4. Configure the scope:
    • Scope name: access_as_user
    • Who Can Consent: Admins and users
    • Admin consent display name: Access SSW EagleEye as user
    • Admin consent description: Allow the application to access SSW EagleEye on behalf of the signed-in user
  5. Click Add scope Add Scope
  6. Copy the full scope URL (e.g., api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/access_as_user)

You will need this during deployment.

Portal App - Configure API Permission

App: SSW.EagleEye.Portal

This allows the Portal web app to call the API.

  1. Go to App registrationsAll applications → search for SSW.EagleEye.Portal
  2. Go to API permissionsAdd a permission
  3. Select APIs my organization uses → choose SSW.EagleEye.Api Select My APIs
  4. Select Delegated permissionsaccess_as_user
  5. Click Add permissions Add Permissions
  6. Click Grant admin consent Grant Admin Consent

Control Who Can Sign In to Your EagleEye Portal

You can choose exactly which users or groups are allowed to access your EagleEye Portal.
By default, Azure lets any user in your tenant sign in - so it’s important to lock this down.

Secure the Portal App

  1. In the Azure Portal, search for Enterprise applications
  2. Select your SSW.EagleEye.Portal enterprise app
  3. In the left menu, go to Manage → Properties
  4. Set Assignment required to Yes
    • This ensures only the users or groups you assign can sign in.
    • If this is set to No, any user in your tenant will be able to access your EagleEye portal.
  5. Click Save Portal Enterprise app

Assign Users/Groups to the Portal App

  1. In the same SSW.EagleEye.Portal enterprise app, go to Manage → Users and groups
  2. Click Add user/group
  3. Select the users or groups you want to give access to.
  4. Click Assign Portal assign users

References

What are Tags?Installation