Skip to main content

Azure or BYO-AZURE (Bring Your Own Azure Account)

# Azure Bring Your Own Cloud (BYOC) - Permissions Guide

## Overview

This guide explains the Azure permissions and configuration required for customers who want to deploy Elestio services in their own Azure subscription. By connecting your Azure account, Elestio will create and manage resources directly in your Azure environment.


##

Prerequisites

Prerequisites

Before connecting your Azure subscription to Elestio, ensure you have:


    -

  • An active Azure subscription

    • -

  • Global Administrator,Administrator, Privileged Role Administrator,Administrator, or Application Administrator role in Azure AD

    • -

  • Contributor role on the target Azure subscription (or ability to assign it)


    • ---

##

Required Azure Permissions


###

Minimum Required Role


    **Role**

  • Role: `Contributor`

    • Contributor

    **Scope**

  • Scope: Subscription level

    • **Why**

Why: 
This role allows Elestio to create, manage, and delete resources in your subscription while preventing it from modifying access controls or role assignments.


###

Alternative: Custom Role (Advanced)


If your organization requires granular permissions, you can create a custom role with thesethe specificfollowing permissions:


```json
{
  "Name": "Elestio Service Manager",
  "Description": "Custom role for Elestio to manage cloud resources",
  "Actions": [
  "Microsoft.Resources/subscriptions/resourceGroups/*",
  "Microsoft.Compute/virtualMachines/*",
  "Microsoft.Compute/disks/*",
  "Microsoft.Network/virtualNetworks/*",
  "Microsoft.Network/networkInterfaces/*",
  "Microsoft.Network/networkSecurityGroups/*",
  "Microsoft.Network/publicIPAddresses/*",
  "Microsoft.Storage/storageAccounts/*",
  "Microsoft.RecoveryServices/vaults/*",
  "Microsoft.RecoveryServices/register/action",
  "Microsoft.Authorization/locks/*"
  ],
  "NotActions": [],
  "AssignableScopes": [
  "/subscriptions/{your-subscription-id}"
  ]
}
```
---

##

What Resources Will Elestio Create?


When you deploy services through Elestio using your Azure subscription, the following resources will beare created:


|
|Purpose|
|---------------|---------|
|
**| |
|
**| |
|
**| Storage for VM operating systems | foryourservices |
| **
|tovirtualnetworks |
| **
| |
|
**| tocontrolnetwork traffic |
| **
| Object storage for backups
|
** | services|
| **
| ofcriticalresources
Resource Type Purpose
Resource Groups**Groups Logical containers for all resources (named `elestio-{region}`)
Virtual Machines**Machines Compute instances for your applications
Managed Disks**Disks OS and data |storage
|for **VMs
Virtual Networks**Networks Network isolation
Network Interfaces**Interfaces VM Connectnetwork VMsconnectivity
Public IP Addresses**Addresses IPv4 and IPv6 addresses for external access
Network Security Groups**Groups Firewall rules
Storage Accounts**Accounts Backups and dataobject |storage
Recovery Services Vaults**Vaults Backup and disaster recovery
Resource Locks**Locks Prevent accidental deletion
|

---

##

OAuth Scope Required


Elestio uses the following OAuth 2.0 scopescope:

to access your Azure subscription:

```
https://management.azure.com/user_impersonation
```

This scope allows Elestio to perform actionsact on your behalf through thevia Azure Resource ManagerManager.

API.

---

##

Step-by-Step Setup Guide


###

Step 1: Assign Contributor Role

to
    Your
  1. User Account

Portal

2. Navigate

  • Go to **Subscriptions**

    • Subscriptions

    3.

  • Select theyour subscription

    you
    • want
  • to

    Open use with Elestio

    • 4. Click **Access control (IAM)**

    in the
  • left sidebar
    • 5.

    Click **+ Add**Add**Add role assignment**

    assignment

    6. In
  • the **Role** tab:
    •    - Search for and select **Contributor**
       - Click **Next**
    7. In the **Members** tab:
       -

    Select **User,Contributor

    group, or
  • service

    Assign principal**

    • it
       - Click **+ Select members**
       - Search for and selectto your user account

  • -

    Click **Select**

    •    - Click **Next**
    8. In the **Review + assign**assign

    tab:

    Verification:
    Your - Review the settings

       - Click **Review + assign**

    **Verification**: Youaccount should seeappear yourunder userRole account listedassignments with the Contributor rolerole.

    under
    "Role assignments" in the IAM section.

    ---

    ###

    Step 2: Register Elestio Application in Azure AD


      When
    1. you connect your Azure account through the Elestio dashboard:

      2. 1.

      Log in to yourthe Elestio account

      dashboard

      2. Navigate
    2. to

      Select yourSoftware projectinside settings

      3. Services.

      3.

    3. Go to **Cloud Providers**Providers**Azure**

      4. Azure

      4. Click
    4. **Connect Azure Account**
      5. 5.

      Enter your **Azure Tenant ID**ID

      (found in

    5. Click Authenticate with Azure

      AD
    Overview)
    6. Click **Authorize**

    You will be redirected to the Microsoft login page.


    ---

    ###

    Step 3: Grant Admin Consent


      After
    1. clicking Authorize, you'll see the Microsoft permissions consent screen:

      2. 1.

      Review the requested permissions:

      • - **

        Access Azure Service Management as you**you (`user_impersonation`user_impersonation)

        scope)
      -
    2. This allows Elestio to manage Azure resources on your behalf
      3. 2. If prompted, sign

      Sign in with an admin account thatif hasrequired

      admin privileges
    3. 3.

      Click **Accept**Accept

      to
      4. grant
    consent

    **Note**

    Note: If you don't have sufficientlack privileges, contact your Azure AD administrator tomust grant consent.


    ---

    ###

    Step 4: Select Subscription


      1.
    1. After authorization, you'll return

      Return to the Elestio dashboard

      2. 2.

    2. Select the Azure subscriptionsubscription.

      where
      3. you
    want to deploy resources
    3. Click **Save**

    Your Azure account is now connectedconnected.

    to
    Elestio!

    ---

    ##

    Security Best Practices


    ### 1.

    Use Dedicated Subscriptions


    Forfor production environments,to considerensure:

    using
      a
    • dedicated Azure subscription for Elestio-managed resources. This provides:
    -

    Clear cost tracking

    and billing
  • -

    Workload Isolationisolation

    from
    • other
  • workloads

    • Easier

    - Simplified auditingaudits and compliance


    ### 2.
    Enable Azure Activity Log

    Monitor all Elestio actions in your subscription:

    1. Go to **Azure Monitor** → **Activity Log**
    2. Set up alerts for critical operations:
       - Resource deletion
       - Role assignment changes
       - Network security group modifications

    ### 3. Review Resource Locks

    Elestio automatically creates resource locks on VMs to prevent accidental deletion. To view them:

    1. Navigate to your VM resource
    2. Click **Locks** in the left sidebar
    3. You'll see a lock named after your VM

    ### 4. Regular Access Reviews

    Periodically review who has access to your Azure subscription:

    1. Go to **Subscriptions** → **Access control (IAM)**
    2. Click **Role assignments**
    3. Verify that only authorized users have Contributor or higher roles

    ---

    ## Understanding

    Resource Naming Conventions


    Elestio
    usesconsistentnamingpatternsforcreatedresources:
    | Resource | Naming Pattern | Example |
    |----------|----------------|---------|
    |
    | `|`elestio-eastus`|
    |
    VM | `| `|
    |
    | `| `|
    |
    | `| `|
    |
    Network Interface | `{service-name}` | `my-postgres-db` |
    | Network Security Group | `{service-name}` | `my-postgres-db` |
    |
    | `|`elestio_eastus_vnet`|
    | Recovery Vault | `{display-name}` | Service display name |
    |
    |`elestioBackup`|`elestioBackup`|
    Resource Pattern Example
    Resource Group elestio-{region}` elestio-eastus
    VM {service-name}` my-postgres-db`db
    Public IPv4 {service-name}_ipv4`_ipv4 my-postgres-db_ipv4`db_ipv4
    Public IPv6 {service-name}_ipv6`_ipv6 my-postgres-db_ipv6`db_ipv6
    Virtual Network elestio_{region}_vnet`_vnet elestio_eastus_vnet
    Backup Policy elestioBackup elestioBackup

    ---

    Troubleshooting


    Insufficient
    ##Permissions

    Backup and Recovery

    ### Automatic Backups

    Elestio automatically enables Azure Backup for services with support levels 2 and 3:

    - **Daily backups** are configured using Azure Recovery Services
    - **Backup retention**

    Cause: Configurable based on your backup policy

    - **Recovery points** are stored in Recovery Services Vaults

    ### Manual Backups (Snapshots)

    You can trigger manual snapshots through the Elestio dashboard. These are:
    - Created using Azure Backup on-demand
    - Stored in the same Recovery Services Vault
    - Default retention: 2 days (configurable)

    ### Backup Costs

    Azure Backup costs are charged directly to your Azure subscription based on:
    - Protected instance size
    - Storage consumed by recovery points
    - Refer to [Azure Backup Pricing](https://azure.microsoft.com/en-us/pricing/details/backup/) for details

    ---

    ## Cost Management

    ### Viewing Costs

    1. Navigate to **Cost Management + Billing** in Azure Portal
    2. Select your subscription
    3. Go to **Cost analysis**
    4. Filter by resource group: `elestio-*`

    ### Cost Optimization Tips

    1. **Right-size VMs**: Choose the appropriate VM size for your workload
    2. **Use Reserved Instances**: For long-running services, consider Azure Reserved VM Instances (up to 72% savings)
    3. **Stop Unused VMs**: Deallocate VMs when not in use to avoid compute charges
    4. **Monitor Backup Storage**: Review and delete old recovery points if not needed

    ---

    ## Troubleshooting

    ### Error: "Insufficient permissions"

    **Cause**: Your user account doesn't have the required Contributor role.

    **Solution**:
    1. Verify role assignment in Subscriptions → Access control (IAM)
    2. Ensure theMissing Contributor role
    Fix:

    is
    3.

    Wait 5-5–10 minutes for permissionspropagation

    to propagate

    ---

    ### Error: "
    Required
    **Cause**

    Cause: The Elestio application requires admin consent for the `user_impersonation` scope.


    **Solution**:
    1. Contact your Azure AD administrator
    2. Ask them to grant admin consent throughmissing
    Fix:

    Azure
    3. Alternatively, have

    Ask an admin completeto theapprove authorizationpermissions

    flow

    ---

    ### Error: "

    Provider notNot registered"

    Registered

    Fix:

    **Cause**:
      The
    1. `Microsoft.RecoveryServices` resource provider is not registered in your subscription.

    **Solution**:
    Elestio automatically registers required providers, but you can manually register:
    1. Go to **Subscriptions**

    SubscriptionsSelect your subscription

    2. Click **Resource providers**
    providers

    3. Find
  • `

    Register Microsoft.RecoveryServices`

    • RecoveryServices

    4. Click **Register**

    ---

    ### Error: "

    Quota exceeded"

    Exceeded

    Fix:

    **Cause**:

    **Solution**:
    1. Go to **Subscriptions** → **Usage + quotas**
    quotas

    2. View
  • current usage and limits
    • 3.

    Request a quotaan increase through **Support** → **New support request**


    ---

    ### Resources Not Appearing in Azure Portal

    **Cause**: Resource creation is in progress or failed.

    **Solution**:
    1. Check the Elestio dashboard for deployment status
    2. Review Azure Activity Log for any failed operations:
       - Go to **Monitor** → **Activity Log**
       - Filter by time range and status: "Failed"
    3. Contact Elestio support if issues persist

    ---

    ## Data Residency and Compliance

    ### Data Location

    - All resources are created in the Azure region you select during service deployment
    - Data does not leave your selected region unless you configure cross-region replication
    - Elestio does not have direct access to your data; all access is through your Azure credentials

    ### Compliance

    Your Azure subscription maintains its existing compliance certifications. Elestio's operations are subject to:
    - Your Azure subscription's compliance settings
    - Azure's compliance certifications (SOC 2, ISO 27001, HIPAA, etc.)
    - Your organization's governance policies

    ---

    ## Disconnecting Your Azure Account

    If you need to disconnect your Azure account from Elestio:

    ### Important: Before Disconnecting

    1. **Delete all services** deployed through Elestio first
    2. This prevents orphaned resources that you'll need to manually clean up
    3. Review your Azure subscription to ensure no Elestio resources remain

    ### Disconnection Steps

    1. Go to Elestio dashboard → Project settings
    2. Navigate to **Cloud Providers** → **Azure**
    3. Click **Disconnect**
    4. Confirm the disconnection

    ### Post-Disconnection Cleanup

    1. Review resource groups named `elestio-*` in Azure Portal
    2. Delete any remaining resources if needed
    3. Remove role assignments in Subscriptions → Access control (IAM) if desired
    4. Revoke application consent in Azure AD → Enterprise applications → Elestio

    ---

    ## FAQ

    ### Q: Can Elestio access my existing Azure resources?

    **A**: Yes, with the Contributor role, Elestio has read/write access to resources in your subscription. However, Elestio only creates and manages resources specifically for your Elestio services. It does not modify or access unrelated resources.

    ### Q: Can I use an existing resource group?

    **A**: Elestio automatically creates resource groups per region (e.g., `elestio-eastus`). This ensures proper organization and prevents conflicts with your existing resources.

    ### Q: What happens if I delete a resource manually in Azure?

    **A**: Deleting Elestio-managed resources directly in Azure Portal may cause:
    - Service outages
    - Inconsistencies between Elestio dashboard and actual state
    - Inability to manage the service through Elestio

    Always delete services through the Elestio dashboard.

    ### Q: Are resource locks applied to all resources?

    **A**: Elestio applies resource locks specifically to Virtual Machines to prevent accidental deletion. Other resources (NICs, disks, IPs) are not locked to allow proper cleanup during service deletion.

    ### Q: Can I use Service Principal instead of user account?

    **A**: Currently, Elestio uses delegated user authentication (`user_impersonation` scope). Service Principal authentication may be supported in future releases.

    ### Q: How are secrets and credentials stored?

    **A**: Azure authentication tokens are encrypted and stored securely in Elestio's database. Elestio uses these tokens only to manage resources on your behalf. Tokens are automatically refreshed as needed.

    ### Q: What is the tenant ID and where do I find it?

    **A**: Your Tenant ID (also called Directory ID) identifies your Azure AD tenant. To find it:
    1. Go to **Azure Active Directory** → **Overview**
    2. Copy the **Tenant ID** field
    3. Paste it in Elestio when connecting your Azure account

    ### Q: Can multiple Elestio projects use the same Azure subscription?

    **A**: Yes, you can connect the same Azure subscription to multiple Elestio projects. Resources will still be organized in region-specific resource groups.

    ### Q: What regions are supported?

    **A**: Elestio supports all Azure regions where the required services (Compute, Network, Storage, Recovery Services) are available. You can select your preferred region when creating a service.

    ---

    ## Support

    ### Elestio Support

    For issues with:
    - Connecting your Azure account
    - Service deployments
    - Elestio dashboard functionality

    Contact: [support@elest.io](mailto:support@elest.io)

    ###via Azure Support


    For issues with:
    - Azure subscription limits
    - Billing and costs
    - Azure service availability

    Visit: [Azure Support](https://azure.microsoft.com/en-us/support/options/)

    ---

    ## Additional Resources

    - [Azure RBAC Documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/)
    - [Azure Backup Documentation](https://docs.microsoft.com/en-us/azure/backup/)
    - [Azure Cost Management](https://docs.microsoft.com/en-us/azure/cost-management-billing/)
    - [Elestio Documentation](https://docs.elest.io)

    ---

    **Last Updated**: December 24, 2025
    **Document Version**: 1.0

    Back to top