Skip to main content

Azure or BYO-AZURE (Bring Your Own Azure Account)

# Azure Bring Your Own Cloud (BYOC) - Permissions Guide

## Overview

This guide explains the Azure permissions and configuration required for customers who want to deploy Elestio services in their own Azure subscription. By connecting your Azure account, Elestio will create and manage resources directly in your Azure environment.


##

Prerequisites

Prerequisites

Before connecting your Azure subscription to Elestio, ensure you have:


-

An active Azure subscription

-

Global Administrator,Administrator, Privileged Role Administrator,Administrator, or Application Administrator role in Azure AD

-

Contributor role on the target Azure subscription (or ability to assign it)


---

##

Required Azure Permissions


###

Minimum Required Role


**Role**

Role: `Contributor`

Contributor
**Scope**

Scope: Subscription level

**Why**

Why: 
This role allows Elestio to create, manage, and delete resources in your subscription while preventing it from modifying access controls or role assignments.


###

Alternative: Custom Role (Advanced)


If your organization requires granular permissions, you can create a custom role with thesethe specificfollowing permissions:


```json
{
  "Name": "Elestio Service Manager",
  "Description": "Custom role for Elestio to manage cloud resources",
  "Actions": [
  "Microsoft.Resources/subscriptions/resourceGroups/*",
  "Microsoft.Compute/virtualMachines/*",
  "Microsoft.Compute/disks/*",
  "Microsoft.Network/virtualNetworks/*",
  "Microsoft.Network/networkInterfaces/*",
  "Microsoft.Network/networkSecurityGroups/*",
  "Microsoft.Network/publicIPAddresses/*",
  "Microsoft.Storage/storageAccounts/*",
  "Microsoft.RecoveryServices/vaults/*",
  "Microsoft.RecoveryServices/register/action",
  "Microsoft.Authorization/locks/*"
  ],
  "NotActions": [],
  "AssignableScopes": [
  "/subscriptions/{your-subscription-id}"
  ]
}
```

---

##

What Resources Will Elestio Create?


When you deploy services through Elestio using your Azure subscription, the following resources will beare created:


| Resource Type |Purpose Purpose |
|---------------|---------|
| **Resource Groups**Groups | Logical containers for all resources (named `elestio-{region}`) |
| **Virtual Machines**Machines | Compute instances for your applications |
| **Managed Disks**Disks | Storage for VM operating systemsOS and data |storage
|for **VMs
Virtual Networks**Networks | Network isolation for your services |
| **Network Interfaces**Interfaces |VM Connectnetwork VMsconnectivity to
virtual networks |
| **Public IP Addresses**Addresses | IPv4 and IPv6 addresses for external access |
| **Network Security Groups**Groups | Firewall rules to control network traffic |
| **Storage Accounts**Accounts | Object storage for backupsBackups and dataobject |storage
|
** Recovery Services Vaults**Vaults | Backup and disaster recovery services |
| **Resource Locks**Locks | Prevent accidental deletion of
critical
resources
|

---

##

OAuth Scope Required


Elestio uses the following OAuth 2.0 scopescope:

to access your Azure subscription:

```
https://management.azure.com/user_impersonation
```

This scope allows Elestio to perform actionsact on your behalf through thevia Azure Resource ManagerManager.

API.

---

##

Step-by-Step Setup Guide


###

Step 1: Assign Contributor Role

to
Your User Account

Portal
2. Navigate

Go to **Subscriptions**

Subscriptions
3.

Select theyour subscription

you want to

Open use with Elestio

4. Click **Access control (IAM)** in the left sidebar
5.

Click **+ Add**Add**Add role assignment**

assignment
6. In the **Role** tab:
   - Search for and select **Contributor**
   - Click **Next**
7. In the **Members** tab:
   -

Select **User,Contributor

group, or service

Assign principal**

it
   - Click **+ Select members**
   - Search for and selectto your user account
-

Click **Select**

   - Click **Next**
8. In the **Review + assign**assign tab:

Verification:
Your - Review the settings

   - Click **Review + assign**

**Verification**: Youaccount should seeappear yourunder userRole account listedassignments with the Contributor rolerole. under
"Role assignments" in the IAM section.

---

###

Step 2: Register Elestio Application in Azure AD


When you connect your Azure account through the Elestio dashboard:

1.

Log in to yourthe Elestio account

dashboard
2. Navigate to

Select yourSoftware projectinside settings

Services.
3.

Go to **Cloud Providers**Providers**Azure**

Azure
4. Click **Connect Azure Account**
5.

Enter your **Azure Tenant ID**ID

(found in

Click Authenticate with Azure

AD Overview)
6. Click **Authorize**

You will be redirected to the Microsoft login page.


---

###

Step 3: Grant Admin Consent


After clicking Authorize, you'll see the Microsoft permissions consent screen:

1.

Review the requested permissions:

  • - **

    Access Azure Service Management as you**you (`user_impersonation`user_impersonation)

    scope)
- This allows Elestio to manage Azure resources on your behalf
2. If prompted, sign

Sign in with an admin account thatif hasrequired

admin privileges
3.

Click **Accept**Accept

to grant consent

**Note**

Note: If you don't have sufficientlack privileges, contact your Azure AD administrator tomust grant consent.


---

###

Step 4: Select Subscription


1. After authorization, you'll return

Return to the Elestio dashboard

2.

Select the Azure subscriptionsubscription.

where you want to deploy resources
3. Click **Save**

Your Azure account is now connectedconnected.

to
Elestio!

---

##

Security Best Practices


### 1.

Use Dedicated Subscriptions


Forfor production environments,to considerensure: using
a dedicated Azure subscription for Elestio-managed resources. This provides:
-

Clear cost tracking

and billing
-

Workload Isolationisolation

from other workloads

Easier

- Simplified auditingaudits and compliance

### 2.
Enable Azure Activity Log

Monitor all Elestio actions in your subscription:

1. Go to **Azure Monitor** → **Activity Log**
2. Set up alerts for critical operations:
   - Resource deletion
   - Role assignment changes
   - Network security group modifications

### 3. Review Resource Locks

Elestio automatically creates resource locks on VMs to prevent accidental deletion. To view them:

1. Navigate to your VM resource
2. Click **Locks** in the left sidebar
3. You'll see a lock named after your VM

### 4. Regular Access Reviews

Periodically review who has access to your Azure subscription:

1. Go to **Subscriptions** → **Access control (IAM)**
2. Click **Role assignments**
3. Verify that only authorized users have Contributor or higher roles

---

## Understanding

Resource Naming Conventions


Elestio uses consistentResource namingPattern patternsExample for created resources:
| Resource | Naming Pattern | Example |
|----------|----------------|---------|
| Resource Group | `elestio-{region}` |elestio-eastus `elestio-eastus`
|
|VM VM | `{service-name}` | `my-postgres-db`db |
| Public IPv4 | `{service-name}_ipv4`_ipv4 | `my-postgres-db_ipv4`db_ipv4 |
| Public IPv6 | `{service-name}_ipv6`_ipv6 | `my-postgres-db_ipv6`db_ipv6 |
| Network Interface | `{service-name}` | `my-postgres-db` |
| Network Security Group | `{service-name}` | `my-postgres-db` |
| Virtual Network | `elestio_{region}_vnet`_vnet |elestio_eastus_vnet `elestio_eastus_vnet`
|
| Recovery Vault | `{display-name}` | Service display name |
| Backup Policy |elestioBackup `elestioBackup`elestioBackup |
`elestioBackup`
|
---

Troubleshooting


Insufficient

##Permissions Backup and Recovery

### Automatic Backups

Elestio automatically enables Azure Backup for services with support levels 2 and 3:

- **Daily backups** are configured using Azure Recovery Services
- **Backup retention**

Cause: Configurable based on your backup policy

- **Recovery points** are stored in Recovery Services Vaults

### Manual Backups (Snapshots)

You can trigger manual snapshots through the Elestio dashboard. These are:
- Created using Azure Backup on-demand
- Stored in the same Recovery Services Vault
- Default retention: 2 days (configurable)

### Backup Costs

Azure Backup costs are charged directly to your Azure subscription based on:
- Protected instance size
- Storage consumed by recovery points
- Refer to [Azure Backup Pricing](https://azure.microsoft.com/en-us/pricing/details/backup/) for details

---

## Cost Management

### Viewing Costs

1. Navigate to **Cost Management + Billing** in Azure Portal
2. Select your subscription
3. Go to **Cost analysis**
4. Filter by resource group: `elestio-*`

### Cost Optimization Tips

1. **Right-size VMs**: Choose the appropriate VM size for your workload
2. **Use Reserved Instances**: For long-running services, consider Azure Reserved VM Instances (up to 72% savings)
3. **Stop Unused VMs**: Deallocate VMs when not in use to avoid compute charges
4. **Monitor Backup Storage**: Review and delete old recovery points if not needed

---

## Troubleshooting

### Error: "Insufficient permissions"

**Cause**: Your user account doesn't have the required Contributor role.

**Solution**:
1. Verify role assignment in Subscriptions → Access control (IAM)
2. Ensure theMissing Contributor role
Fix: is
assigned

Assign Contributor at the subscription level,level

not resource group level
3.

Wait 5-5–10 minutes for permissionspropagation

to propagate

---

### Error: "
Required
**Cause**

Cause: The Elestio application requires admin consent for the `user_impersonation` scope.


**Solution**:
1. Contact your Azure AD administrator
2. Ask them to grant admin consent throughmissing
Fix: Azure
AD → Enterprise applications → Elestio → Permissions
3. Alternatively, have

Ask an admin completeto theapprove authorizationpermissions

flow

---

### Error: "

Provider notNot registered"

Registered

Fix:

**Cause**:
The `Microsoft.RecoveryServices` resource provider is not registered in your subscription.

**Solution**:
Elestio automatically registers required providers, but you can manually register:
1. Go to **Subscriptions**

SubscriptionsSelect your subscription

2. Click **Resource providers**
providers
3. Find `

Register Microsoft.RecoveryServices`

RecoveryServices
4. Click **Register**

---

### Error: "

Quota exceeded"

Exceeded

Fix:

**Cause**:
Your subscription

Check has reached the limit for a specific resource type (e.g., CPU cores, public IPs).


**Solution**:
1. Go to **Subscriptions** → **Usage + quotas**
quotas
2. View current usage and limits
3.

Request a quotaan increase through **Support** → **New support request**


---

### Resources Not Appearing in Azure Portal

**Cause**: Resource creation is in progress or failed.

**Solution**:
1. Check the Elestio dashboard for deployment status
2. Review Azure Activity Log for any failed operations:
   - Go to **Monitor** → **Activity Log**
   - Filter by time range and status: "Failed"
3. Contact Elestio support if issues persist

---

## Data Residency and Compliance

### Data Location

- All resources are created in the Azure region you select during service deployment
- Data does not leave your selected region unless you configure cross-region replication
- Elestio does not have direct access to your data; all access is through your Azure credentials

### Compliance

Your Azure subscription maintains its existing compliance certifications. Elestio's operations are subject to:
- Your Azure subscription's compliance settings
- Azure's compliance certifications (SOC 2, ISO 27001, HIPAA, etc.)
- Your organization's governance policies

---

## Disconnecting Your Azure Account

If you need to disconnect your Azure account from Elestio:

### Important: Before Disconnecting

1. **Delete all services** deployed through Elestio first
2. This prevents orphaned resources that you'll need to manually clean up
3. Review your Azure subscription to ensure no Elestio resources remain

### Disconnection Steps

1. Go to Elestio dashboard → Project settings
2. Navigate to **Cloud Providers** → **Azure**
3. Click **Disconnect**
4. Confirm the disconnection

### Post-Disconnection Cleanup

1. Review resource groups named `elestio-*` in Azure Portal
2. Delete any remaining resources if needed
3. Remove role assignments in Subscriptions → Access control (IAM) if desired
4. Revoke application consent in Azure AD → Enterprise applications → Elestio

---

## FAQ

### Q: Can Elestio access my existing Azure resources?

**A**: Yes, with the Contributor role, Elestio has read/write access to resources in your subscription. However, Elestio only creates and manages resources specifically for your Elestio services. It does not modify or access unrelated resources.

### Q: Can I use an existing resource group?

**A**: Elestio automatically creates resource groups per region (e.g., `elestio-eastus`). This ensures proper organization and prevents conflicts with your existing resources.

### Q: What happens if I delete a resource manually in Azure?

**A**: Deleting Elestio-managed resources directly in Azure Portal may cause:
- Service outages
- Inconsistencies between Elestio dashboard and actual state
- Inability to manage the service through Elestio

Always delete services through the Elestio dashboard.

### Q: Are resource locks applied to all resources?

**A**: Elestio applies resource locks specifically to Virtual Machines to prevent accidental deletion. Other resources (NICs, disks, IPs) are not locked to allow proper cleanup during service deletion.

### Q: Can I use Service Principal instead of user account?

**A**: Currently, Elestio uses delegated user authentication (`user_impersonation` scope). Service Principal authentication may be supported in future releases.

### Q: How are secrets and credentials stored?

**A**: Azure authentication tokens are encrypted and stored securely in Elestio's database. Elestio uses these tokens only to manage resources on your behalf. Tokens are automatically refreshed as needed.

### Q: What is the tenant ID and where do I find it?

**A**: Your Tenant ID (also called Directory ID) identifies your Azure AD tenant. To find it:
1. Go to **Azure Active Directory** → **Overview**
2. Copy the **Tenant ID** field
3. Paste it in Elestio when connecting your Azure account

### Q: Can multiple Elestio projects use the same Azure subscription?

**A**: Yes, you can connect the same Azure subscription to multiple Elestio projects. Resources will still be organized in region-specific resource groups.

### Q: What regions are supported?

**A**: Elestio supports all Azure regions where the required services (Compute, Network, Storage, Recovery Services) are available. You can select your preferred region when creating a service.

---

## Support

### Elestio Support

For issues with:
- Connecting your Azure account
- Service deployments
- Elestio dashboard functionality

Contact: [support@elest.io](mailto:support@elest.io)

###via Azure Support

For issues with:
- Azure subscription limits
- Billing and costs
- Azure service availability

Visit: [Azure Support](https://azure.microsoft.com/en-us/support/options/)

---

## Additional Resources

- [Azure RBAC Documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/)
- [Azure Backup Documentation](https://docs.microsoft.com/en-us/azure/backup/)
- [Azure Cost Management](https://docs.microsoft.com/en-us/azure/cost-management-billing/)
- [Elestio Documentation](https://docs.elest.io)

---

**Last Updated**: December 24, 2025
**Document Version**: 1.0

Back to top