Manual set up of DotAlign on Azure
Updated
by
Jaspreet Bakshi
Typically, the DotAlign solution is deployed via a PowerShell based deployment script provided by DotAlign, Inc. However, in situations where the resources are not deployed using the DotAlign deployment script, the following permissions and settings, and other components need to be considered get the solution up an running.
Authentication and authorization
Azure AD and app registration
For Azure based deployments, DotAlign uses Azure AD for authentication and authorization. Users are forwarded to their firm's Azure AD instance (which may further include additional identity management platforms), and when authenticated, they are redirected back to DotAlign.
To support this, an app registration needs to be created inside your Azure tenant, and granted the following MS Graph permissions.
For user sign-in
Permission | Type | Description |
openid | Delegated | Sign users in |
profile | Delegated | View users' basic profile |
User.Read | Delegated | Sign in and read user profile |
For web app functionality
Permission | Type | Description |
User.Read.All | Delegated | Read all users' full profiles |
Calendars.ReadWrite | Delegated | Have full access to user calendars |
Directory.Read.All | Delegated | Read directory data |
Group.Read.All | Delegated | Read all groups |
Mail.ReadWrite | Delegated | Read and write access to user mail |
For background processing
Permission | Type | Description |
Calendars.Read | Application | Read calendars in all mailboxes |
Contacts.Read | Application | Read contacts in all mailboxes |
Directory.Read.All | Application | Read directory data |
Group.Read.All | Application | Read all groups |
Mail.Read | Application | Read mail in all mailboxes |
User.Read.All | Application | Read all users' full profiles |
Admin group
Inside DotAlign, one (or more) Azure AD security group(s) must be designated as the "Admin group". Doing this gives the group's members an application level administrative role inside DotAlign, allowing them to perform tasks like setting up teams and adding members etc. This group is specified by adding its GUID to an application setting on the web app. To be clear, membership in this group does not grant any additional rights outside of the DotAlign solution.
The setting that is can be used to specify the admin group is "AzureAd:DotAlignAdminGroupIds:0" and its value must be the GUID of the group in Azure AD.
Redirect URI
To enable interactive authentication, a redirect URI needs to be specified within the app registration. This can be done by going to the "Authentication" section of the app registration and clicking on the "Add a platform" button. Then choose "Single-page application" as your platform, and add the following URI in the space provided.
https://<BASE_URI>/aad-auth
Access via managed identity
The following permissions need to be applied only in the case where the web app and function app are using managed identity to connect to the database and storage account.
Database access
The web and function apps communicate with the database using their managed identities. This is done by creating an Azure AD group that has the managed identities of the web app and the function app, as members. Then that Azure AD group is granted admin rights to the DotAlign database.
Storage account access
The web app and function app also need to be granted access to a designated storage account. This is used for several features (like uploading data) by the web app and also as a part of the function app infrastructure.
To enable this, the following permissions need to be granted to both the web app and the function app.
- Contributor Role
- Storage Blob Data Owner
- Storage Queue Data Contributor
Settings
Beside permissions related to database and the storage account, there are also certain settings/configuration that are required for the solution to work as expected.
Settings for both the web app (Falcon) and the function app (Gator)
The following settings need to be applied to both Falcon and Gator.
Setting name | Sample setting value | Required | Description |
APPINSIGHTS_INSTRUMENTATIONKEY | 5a68d772-431c-45f7-b036-b40daba75a3a | No | This allows collection of infrastructure metrics into Azure AppInsights |
APPLICATIONINSIGHTS_CONNECTION_STRING | InstrumentationKey=ac72ed37-4df4-4e46-afa1-1f1dce684d91 | No | This is the connection string to AppInsights |
ApplicationInsightsAgent_EXTENSION_VERSION | ~2 | No | |
ASPNETCORE_DETAILEDERRORS | No | ||
AzureAd:Audience | 3abdafd6-7d1b-4c68-af9b-c57b2c922ebf | Yes | Client Id of the app registration |
AzureAd:CallbackPath | /signin-oidc | Yes | Call back path for authentication |
AzureAd:ClientId | f8290b25-192e-4f7d-aa66-2b88da8f6896 | Yes | Client Id of the app registration |
AzureAd:ClientSecret | jlhsldfyg%^&HGGFLFTOIu98qwydo7 | Yes | Client secret for app registration |
AzureAd:Domain | dotalign.com | Yes | Domain of the organization |
AzureAd:DotAlignAdminGroupIds:0 | 89dd658a-0574-4178-a684-29d6576b61d6 | Yes | GUID of designated Azure AD admin group |
AzureAd:GraphResource | https://graph.microsoft.com/ | Yes | Microsoft Graph URL |
AzureAd:GraphResourceEndPoint | v1.0 | Yes | Microsoft Graph version |
AzureAd:Instance | https://login.microsoftonline.com/ | Yes | Microsoft authenticaiton URL |
AzureAd:TenantId | 115144a9-504a-40ac-8064-82f8e28586f3 | Yes | Tenant ID |
AzureFunctions:Storage | gvddtolleejmfstorage | Yes | Name of the storage account |
AzureKeyVault:VaultName | lqodtsqw-kv | No | Name of the Azure key vault |
Db:ConnectionTimeout | 60 | No | |
Db:DatabaseName | dotalign | Yes | |
Db:DatabaseType | Azure | No | |
Db:Login | sqm | No, in case of managed identity | |
Db:Password | dsdfsdf | No, in case of managed identity | |
Db:ServerName | sdsdfmvvqq-db | Yes | |
Db:UseManagedIdentity | true | Yes | |
DiagnosticServices_EXTENSION_VERSION | ~3 | Yes | |
DotAlignCloudHub:ApiKey | sdsdasdasd | No | This is not strctly required for the web app to run but is required to support market data functionality inside the DotAlign web app. |
Logging:ComponentName | FAL | Yes | The high level component that this app represents. Used for log organization. |
Logging:DeploymentName | managed | Yes | The name of the Azure resource group into which DotAlign is deployed |
Logging:UseAzureStorageLogging | No | ||
Logging:UseLocalFileLogging | No | ||
Logging:UseLoggly | True | No | |
SqlClient:StepCommandTimeout | 600 | No | |
SqlClient:FirstRetryWaitPeriodInSeconds | 5 | No | |
SqlClient:IsolationLevel | ReadCommitted | No | |
SqlClient:LastRetryWaitPeriodInSeconds | 60 | No | |
SqlClient:LogSlowQueries | true | No | |
SqlClient:RetryTransientErrors | 5 | No | |
WEBSITE_DNS_SERVER | 168.3.19.16 | Yes | https://learn.microsoft.com/en-us/azure/app-service/reference-app-settings?tabs=kudu%2Cdotnet#domain-and-dns |
WEBSITE_VNET_ROUTE_ALL | 1 | Yes |
Function app (Gator) only settings
In addition to the settings that are applicable for both Falcon and Gator there are a handful of additional settings that need to be applied to just Gator.
Setting name | Sample setting value | Required | Description |
WebApp:WebAppUrl | Yes | The URL of the associated web app | |
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING | gvddtolleejmfstorage | Yes | |
FUNCTION_APP_EDIT_MODE | readonly | Yes | |
FUNCTIONS_EXTENSION_VERSION | ~4 | Yes | |
FUNCTIONS_WORKER_RUNTIME | dotnet-isolated | Yes |
