Configuring the prerequisites

To connect your Azure subscription to Parallels DaaS, you need to complete several preliminary steps.

You can do this in two ways:

• (Recommended) By using a script provided by Parallels

• Manually

Before you begin

Before configuring prerequisites, make sure that you have the right to create a Standard B1ms instance in your Azure region and subscription.

To configure the prerequisites using a script

To configure prerequisites using a script:

1. Download the PowerShell script from https://github.com/Parallels/Parallels-DaaS.

2. Log in to Microsoft Azure with an account with the Owner role in your subscription and the Global Administrator role in Microsoft Entra ID. Make sure that MFA for this account is enabled.

3. Launch the PowerShell script in PowerShell version 7.3 or later.

4. The script checks which Azure tenants you have access to. Select the Azure Tenant you want to use.

5. The script checks which Azure subscriptions you have access to. select the Azure Subscription you want to use.

6. The script checks which regions you are able to deploy the resources in. Select the location you want to use.

7. Provide the name of the application you want to create.

8. Provide the name of the resource group that will be used for all infrastructure-related resources.

9. Provide the name of the resource group that will be used for all virtual machines.

10. (Optional) Provide the name of the Azure Key Vault to create. The App Registration secret will be safely stored in this Azure Key Vault. This name needs to be unique in Azure globally.

11. Log in to the Microsoft Azure portal.

12. Open the portal menu and select Microsoft Entra ID.

13. On the left pane, select App registrations.

14. Select your application and on the left pane, select API permissions.

15. Click the Grant admin consent button and then Yes.

Upon completion, all prerequisites will be installed, and the script will output the parameters that you can easily copy to the Azure Subscription wizard.

Next, you need to connect your Microsoft Azure subscription.

To configure the prerequisites manually

To configure prerequisites manually, you need to go through several steps.

Step 1. Create a Microsoft Entra ID application

1. Log in to the Microsoft Azure portal.

2. Open the portal menu and select Microsoft Entra ID.

3. On the left pane, select App registrations.

4. Click New registration (at the top of the right pane). The Register an application blade opens.

5. In the Name field, type the name you want to use for the application.

6. In the Redirect URI section, make sure that Web is selected in the drop-down list and add the following URI.

   https://cloud.parallels.com/discovery

7. Click Register (at the bottom left).

8. The new Microsoft Entra ID app is created, and its blade is displayed in the portal. Make a note of the application (client) ID once the registration is completed.

9. On the left pane, select Authentication

10. In the Web Redirect URIs section add the following URI:

    • https://cloud.parallels.com/signin-oidc

    • https://cloudadmin.parallels.com/signin-oidc

    • https://cloudadmin.parallels.com/login

11. Scroll down and enable "ID tokens (used for implicit and hybrid flows)"

Step 2. Add custom roles to Azure subscription

1. In the Azure portal menu, select Subscriptions.

2. In the left pane, select Access control (IAM).

3. Click Add and select Add custom role.

4. Enter Daas Role Assignment as the name of the custom role and Allows to add and delete role assignments as the description.

5. Select Clone a role and choose the Virtual Machine Contributor role.

6. In the Permissions tab, clear all permissions and select only the following two permissions:

   • Microsoft.Authorization/roleAssignments/write

   • Microsoft.Authorization/roleAssignments/delete

7. In the Assignable scopes tab, clear all scopes and select only your subscription as the assignable scope.

8. On the Review + create tab, confirm that the configuration is correct and click Review + create.

9. Go back to Access control (IAM).

10. Click Add and select Add role assignment.

11. In the Privileged administrator roles tab, select the Daas Role Assignment role.

12. In the Members tab, select the Microsoft Entra ID application created in Step 1.

13. In the Conditions tab, select Allow user to assign all roles (highly privileged).

14. On the Review + assign tab, confirm that the configuration is correct and click Review + assign.

Step 3. Assign Required Permissions to the Microsoft Entra ID application

1. Select your application and on the left pane, select API permissions.

2. Click Add a permission.

3. Click the Microsoft Graph card.

4. Click the Application permissions card.

5. Select the following permissions:

   • Domain.Read.All

   • GroupMember.Read.All

   • User.Read.All

6. Click Add a permission.

7. Click the Microsoft Graph card.

8. Click the Delegated permissions card.

9. Select the following permissions:

   1. openid

   2. email

   3. profile

10. Click Add permissions.

11. Click Grant admin consent for...

12. Confirm you want to grant admin consent by clicking Yes.

Step 4. Configure a token

1. Select your application and on the left pane, select Token configuration.

2. Click Add optional claim.

3. In the Token type section, select ID.

4. Select email and upn.

5. Click Add.

6. Click Add groups claim.

7. Select Security groups.

8. Click Add.

Step 5. Create a client secret for the Microsoft Entra ID application

1. If you are not on the application page anymore, navigate to it from the Home page by selecting Microsoft Entra ID > App registration and then clicking the app in the right pane.

2. In the left pane, click Certificates & secrets.

3. In the right pane, click New client secret.

4. Type a client name and select a desired expiration option.

5. Click Add. The new client secret appears in the Client secrets list.

Step 6. Assign Contributor Role to the Microsoft Entra ID application

1. In the Azure portal menu, select Subscriptions.

2. In the left pane, select Access control (IAM).

3. Click Add and select Add role assignment.

4. Choose Contributor as the role and search for your application by name.

5. Select the application you created as a member.

6. Save the assignment.

Step 7. Create Azure resource groups

1. In the Azure portal menu, select Resource groups.

2. Create a resource group for the Parallels DaaS Infrastructure (e.g. Parallels_DaaS_Infra) in the region of your choice.

3. Create a resource group for the Parallels DaaS virtual machines (e.g. Parallels_DaaS_VMs) in the region of your choice.

4. Make a note of the names of these resource groups.

Step 8. Set rights for the resource groups

1. In the Azure portal menu, select Resource groups.

2. Click a resource group where the infrastructure resources will reside.

3. In the left pane, select Access control (IAM).

4. In the right pane, locate the Grant access to this resource box and click Add role assignment.

5. On the Role tab of the Add role assignment page, select Privileged administrator roles, then the Contributor role.

6. Click Next.

7. On the Members tab, select the User, group, or service principal option.

8. Click on the Select members link and enter the name of the previously created application in the Select field. Select the application in the drop-down list and click Select.

9. Click Next.

10. On the Review + assign tab, confirm that the configuration is correct and click Review + assign.

11. Perform the same steps for the virtual machines resource group.

Step 9. Save settings for future use

Save the following information for use in the Parallels DaaS Management Portal setup:

• Azure Tenant ID

• Azure Subscription ID

• Application (client) ID

• Infrastructure resource group name

• Virtual machines resource group name

Make sure to securely store the client secret and other sensitive information.

Next, you need to connect your Microsoft Azure subscription.