Deploying from Azure Marketplace

VaultGuard360 deploys as an Azure Managed Application from the Azure Marketplace. The ARM template handles all infrastructure creation — you only need to fill in a short wizard.

Typical deployment time: 8–12 minutes.

What Gets Created

The ARM template creates the following resources in your chosen resource group:

Enterprise tier additionally creates Private Endpoints for the Function App and Storage Account, plus an Azure Monitor Private Link Scope (AMPLS).

Deployment Steps

1. Open the Marketplace listing

Navigate to the VaultGuard360 listing in the Azure Marketplace and click Get It Now, then Create.

2. Select your subscription and resource group

On the Basics tab:

1. Choose the Azure Subscription where VaultGuard360 will be deployed.
2. Create a new Resource group or select an existing one. A dedicated resource group is recommended (e.g., rg-vaultguard360).
3. Choose a Region close to your users or the majority of your Key Vaults.

3. Choose your tier

Select Trial, Professional, or Enterprise. See Prerequisites for a full tier comparison. You can start with Trial to evaluate the product before committing to a paid tier.

4. Configure notifications

Enter a Default notification email address. This is the fallback recipient for alerts if no team routing rules match. You can change it later under Dashboard > Settings.

5. Set the scan schedule

Choose whether to scan Daily or Weekdays only, and select the hour (UTC) for the daily scan. The default is 9:00 AM UTC daily.

6. Set initial warning threshold

Enter the number of days before expiry that should trigger a warning. The default is 30 days. Severe (14 days) and Critical (7 days) thresholds are derived automatically on first scan, and all thresholds can be adjusted afterward under Dashboard > Settings.

7. Review and create

Click Review + Create, then Create. Azure validates the template and begins deploying resources. The deployment typically completes in 8–12 minutes.

After Deployment

When the deployment shows Succeeded:

1. Go to the Outputs tab of the deployment. Copy the Dashboard URL — it looks like https://func-vaultguard360-<suffix>.azurewebsites.net.

2. Verify the deployment with a health check:

curl https://<your-func>.azurewebsites.net/api/health

A successful response looks like:

{
  "status": "healthy",
  "tier": "professional",
  "identity": "id-vaultguard360"
}

1. Open the dashboard URL in your browser. You will be prompted to sign in with your Microsoft organizational account.

2. Navigate to the Setup page to assign Key Vault Reader permissions. See Key Vault Permissions.

Email is Pre-Configured

ACS email is fully operational immediately after deployment — no manual email configuration is needed. VaultGuard360 will start sending alerts using an Azure-managed sender address (DoNotReply@<guid>.azurecomm.net) as soon as permissions are in place and the first scan runs.

To use a custom sender address like alerts@alerts.contoso.com, see Custom Email Domain.

Troubleshooting

Deployment fails at "Function App" step Check the ARM deployment error details in the Azure portal. Common causes: insufficient quota for the App Service Plan SKU in the selected region, or Microsoft.Communication resource provider not registered.

Dashboard shows a blank white page The Function App may still be warming up. Visit https://<your-func>.azurewebsites.net/api/health and wait for a 200 response (up to 40 seconds on cold start), then reload the dashboard.

"Access denied" on the dashboard By default, any user in your Azure AD tenant can access the dashboard. If your Azure AD administrator has enabled "Assignment required" on the VaultGuard360 enterprise application, ask them to add your account under Users and groups.