Azure Service Account — Setup Guide

Overview Use this guide to create and configure an Azure service account in MinuteView Console. This service account enables server-to-server integration with Microsoft Azure services including:

• Azure Active Directory for user authentication and authorization
• Azure Storage for file storage and blob operations
• Microsoft Graph for SharePoint, OneDrive, and Office 365 integration
• Azure Key Vault for secure credential management
• Azure Cognitive Services for AI and machine learning capabilities
• Azure SQL Database and other data services

Unlike OAuth accounts which require user consent, service accounts use application-only authentication with certificates or client secrets for automated, unattended operations.

---

1) Create Azure App Registration

Register Application in Azure Portal

1. Sign in to Azure Portal → Microsoft Entra ID → App registrations
2. Click New registration
3. Configure application:
   • Name: MinuteView Service Account
   • Supported account types: Single tenant (recommended for service accounts)
   • Redirect URI: Leave blank (not needed for service accounts)
4. Click Register

Collect Application Information

From the app's Overview page, note:

• Application (client) ID: 12345678-1234-1234-1234-123456789012
• Directory (tenant) ID: 87654321-4321-4321-4321-210987654321
• Object ID: Used for role assignments

---

2) Configure Authentication Method

Choose between certificate-based or secret-based authentication:

Option A: Certificate Authentication (Recommended)

Create Self-Signed Certificate

# Generate certificate
$cert = New-SelfSignedCertificate -Subject "CN=MinuteView-ServiceAccount" `
    -KeyDescription "MinuteView Service Account Certificate" `
    -KeyUsage DigitalSignature `
    -KeyLength 2048 `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "Cert:\CurrentUser\My"

# Export certificate
Export-Certificate -Cert $cert -FilePath "minuteview-cert.cer"
Export-PfxCertificate -Cert $cert -FilePath "minuteview-cert.pfx" -Password (ConvertTo-SecureString "your-password" -AsPlainText -Force)

Upload Certificate to Azure

1. Navigate to Certificates & secrets → Certificates
2. Click Upload certificate
3. Select the .cer file and provide description
4. Click Add

Option B: Client Secret Authentication

1. Navigate to Certificates & secrets → Client secrets
2. Click New client secret
3. Description: MinuteView Service Secret
4. Expires: Choose appropriate duration (24 months recommended)
5. Copy and securely store the secret value

---

3) Configure API Permissions

Microsoft Graph Permissions (Application)

Navigate to API permissions → Add a permission → Microsoft Graph → Application permissions

File and Content Access

• Files.ReadWrite.All - Read/write all files
• Sites.ReadWrite.All - SharePoint site access
• Directory.Read.All - Read directory data

User and Group Management

• User.Read.All - Read all user profiles
• Group.Read.All - Read all groups
• GroupMember.Read.All - Read group memberships

Mail and Calendar (if needed)

• Mail.ReadWrite - Access all mailboxes
• Calendars.ReadWrite - Access all calendars

Azure Management Permissions

For Azure resource management:

• Azure Service Management → Application permissions → user_impersonation

Grant Admin Consent

1. Click Grant admin consent for [Organization]
2. Confirm the consent for all configured permissions

---

4) Assign Azure RBAC Roles

Resource-Level Permissions

Assign appropriate roles based on needs:

Storage Account Access

# Assign Storage Blob Data Contributor role
New-AzRoleAssignment -ObjectId "app-object-id" `
    -RoleDefinitionName "Storage Blob Data Contributor" `
    -Scope "/subscriptions/subscription-id/resourceGroups/rg-name/providers/Microsoft.Storage/storageAccounts/storage-name"

Key Vault Access

# Assign Key Vault Secrets Officer role
New-AzRoleAssignment -ObjectId "app-object-id" `
    -RoleDefinitionName "Key Vault Secrets Officer" `
    -Scope "/subscriptions/subscription-id/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/vault-name"

Subscription-Level Access (if needed)

# Assign Reader role at subscription level
New-AzRoleAssignment -ObjectId "app-object-id" `
    -RoleDefinitionName "Reader" `
    -Scope "/subscriptions/subscription-id"

---

5) Create Service Account in MinuteView Console

1. Navigate to Console → Service Accounts
2. Click New to create a new service account
3. Configure the following settings:

Basic Configuration

• Name: Azure-ServiceAccount-Prod
• Service Account Type: Select Azure from the dropdown

Authentication Configuration

For Certificate Authentication

• Authentication Type: Certificate
• Client ID: Enter your Application (client) ID
• Tenant ID: Enter your Directory (tenant) ID
• Certificate: Upload the .pfx file
• Certificate Password: Enter the certificate password

For Client Secret Authentication

• Authentication Type: Client Secret
• Client ID: Enter your Application (client) ID
• Tenant ID: Enter your Directory (tenant) ID
• Client Secret: Enter the secret value

Service Configuration

• Azure Environment: Public Cloud (or Government, China as needed)
• Resource URL: Default (https://management.azure.com/) or specific service
• Scope: Default (https://graph.microsoft.com/.default) or custom scopes

4. Click Test Connection to verify authentication
5. Click Save to create the service account

---

6) Integration Examples

Azure Storage Integration

{
  "storageAccount": "minuteviewstorage",
  "containerName": "documents",
  "connectionString": "DefaultEndpointsProtocol=https;AccountName=...",
  "useManagedIdentity": false,
  "serviceAccountId": "azure-serviceaccount-prod"
}

Microsoft Graph Integration

Access SharePoint sites and OneDrive:

GET https://graph.microsoft.com/v1.0/sites
Authorization: Bearer {access_token}

Azure Key Vault Integration

Retrieve secrets securely:

GET https://vault-name.vault.azure.net/secrets/secret-name?api-version=7.0
Authorization: Bearer {access_token}

---

7) Monitoring and Management

Azure Portal Monitoring

• Enterprise applications → MinuteView Service Account
• View sign-in logs and audit logs
• Monitor API usage and performance
• Review assigned permissions and roles

Token Management

• Access tokens expire after 60-90 minutes
• MinuteView automatically handles token refresh
• Monitor for authentication failures in logs

Cost Monitoring

• Track API calls to Azure services
• Monitor storage and compute usage
• Set up billing alerts for cost control

---

8) Security Best Practices

Certificate Management

• Use certificates instead of secrets when possible
• Store certificates securely with appropriate permissions
• Set up certificate expiration alerts
• Implement certificate rotation procedures

Access Control

• Follow principle of least privilege
• Regularly review and audit permissions
• Use resource-specific roles instead of broad permissions
• Implement conditional access policies where applicable

Secret Management

• Store client secrets in Azure Key Vault or secure credential store
• Never expose secrets in code or configuration files
• Set up secret expiration alerts
• Rotate secrets regularly (every 6-12 months)

---

9) Troubleshooting

Authentication Issues

AADSTS700016: Application not found

• Verify Client ID is correct
• Ensure app registration exists in the correct tenant
• Check if app was accidentally deleted

AADSTS7000215: Invalid client secret

• Verify client secret hasn't expired
• Check for typos or encoding issues
• Generate new secret if needed

Certificate validation failed

• Ensure certificate is valid and not expired
• Verify certificate password is correct
• Check certificate format (.pfx for private key)

Permission Issues

Insufficient privileges

• Verify API permissions are granted
• Ensure admin consent was provided
• Check RBAC role assignments for Azure resources

Access denied to resource

• Review resource-level permissions
• Verify service account has required roles
• Check resource firewall and network restrictions

---

10) Maintenance Tasks

Regular Maintenance

• Monitor certificate and secret expiration dates
• Review and audit assigned permissions quarterly
• Update API permissions as features evolve
• Monitor sign-in logs for security anomalies

Certificate Renewal

1. Generate new certificate before current expires
2. Upload new certificate to Azure app registration
3. Update service account configuration in MinuteView
4. Test connectivity with new certificate
5. Remove old certificate after verification

Permission Auditing

• Regularly review granted API permissions
• Remove unused or excessive permissions
• Document permission requirements for compliance
• Implement approval process for permission changes

---

Appendix — Configuration Examples

Production Configuration (Certificate)

Name: Azure-Production-ServiceAccount
Type: Azure
Authentication: Certificate
Client ID: 12345678-1234-1234-1234-123456789012
Tenant ID: 87654321-4321-4321-4321-210987654321
Certificate: minuteview-prod.pfx
Azure Environment: Public Cloud

Development Configuration (Secret)

Name: Azure-Development-ServiceAccount  
Type: Azure
Authentication: Client Secret
Client ID: 87654321-4321-4321-4321-210987654321
Tenant ID: 12345678-1234-1234-1234-123456789012
Client Secret: [secret-value]
Azure Environment: Public Cloud

Specialized Graph Configuration

Name: Azure-Graph-OnlyAccount
Type: Azure
Authentication: Certificate
Scope: https://graph.microsoft.com/.default
Resource URL: https://graph.microsoft.com/
Purpose: Microsoft Graph API access only

This configuration enables comprehensive Azure integration for MinuteView, supporting everything from file storage and user management to advanced AI services and secure credential management.