Before deploying VaultGuard360, confirm you meet the following requirements.
Azure Requirements
| Requirement | Details |
|---|---|
| Azure subscription | At least one active Azure subscription |
| Deployer role | Contributor (or Owner) on the target resource group. The ARM template creates a managed identity, storage account, Function App, and Azure Communication Services resource — Contributor is the minimum role that allows all of these. |
| Key Vault RBAC mode | Each Key Vault you want to monitor must use RBAC authorization (not vault access policies). See Key Vault Permissions for how to enable this. |
| Azure region | Any region that supports Azure Functions (Consumption or App Service Plan), Azure Communication Services, and Azure Table Storage. |
| Resource providers | Microsoft.Web, Microsoft.Storage, Microsoft.Communication, Microsoft.Insights, and Microsoft.ManagedIdentity must be registered in the subscription. |
Who Can Deploy
The person deploying VaultGuard360 needs:
- Contributor role (or Owner) on the resource group where the managed application will be created
- Access to the Azure Marketplace in their Azure portal
You do not need Global Administrator or any special Azure AD role to deploy. Azure AD Single Sign-On for the dashboard is configured automatically using a publisher-managed multi-tenant app registration — no customer-side app registration is required.
Note: The publisher (Sentinel Vault Systems) has zero access to your deployment. The managed application runs entirely in your own Azure subscription. The publisher-managed AAD app registration is used only for SSO authentication — it does not grant the publisher any data access.
Post-Deployment: Granting Key Vault Access
After deployment, someone with Owner or User Access Administrator rights on each target subscription needs to assign two RBAC roles to the id-vaultguard360 managed identity:
- Reader — to list subscriptions, resource groups, and Key Vault resources
- Key Vault Reader — to list secrets, keys, and certificates and read their expiry metadata
These are the only two roles needed. Do not assign Key Vault Secrets User, Certificate User, or Crypto User — VaultGuard360 reads metadata only and never reads secret values.
Supported Browsers
VaultGuard360's dashboard is a React SPA that works in any modern browser:
| Browser | Minimum Version |
|---|---|
| Microsoft Edge | 90+ |
| Google Chrome | 90+ |
| Mozilla Firefox | 90+ |
| Apple Safari | 14+ |
Internet Explorer is not supported.
Tier Comparison
Choose your tier in the Azure Marketplace wizard. All tiers include the full dashboard, ACS email, custom thresholds, team routing, webhooks, and 365-day audit log retention.
| Feature | Trial | Professional | Enterprise |
|---|---|---|---|
| Price | Free (14 days) | $499/month | $1,499/month |
| Azure subscriptions monitored | Up to 15 | Up to 30 | Unlimited |
| Monitored items (secrets/certs/keys) | 200 | 2,000 | Unlimited |
| ACS email (auto-configured) | Yes | Yes | Yes |
| Custom email sender domain | Yes | Yes | Yes |
| SMTP relay fallback | Yes | Yes | Yes |
| Custom alert thresholds | Yes | Yes | Yes |
| Configurable reminder frequency | Yes | Yes | Yes |
| Teams, Slack, PagerDuty, ServiceNow webhooks | Yes | Yes | Yes |
| Generic outbound webhooks (HMAC) | Yes | Yes | Yes |
| Team routing | Yes | Yes | Yes |
| Log Explorer (KQL + CSV export) | Yes | Yes | Yes |
| EasyAuth SSO | Yes | Yes | Yes |
| Audit logging | Yes | Yes | Yes |
| Private Endpoints / VNet integration | — | — | Yes |
| AMPLS (Log Analytics private-only) | — | — | Yes |
| 99.5% uptime SLA | — | Yes | Yes |
| Priority support (4-hour response) | — | — | Yes |
Trial Behavior
The trial provides full Professional-tier functionality for 14 days. After day 14, the deployment hard-locks: scans stop and all API endpoints return HTTP 402. No data is lost — deploy a paid plan and reconfigure your settings (approximately 5–10 minutes) to resume.
Note: Upgrading from Trial to a paid tier requires a fresh Marketplace deployment. Before you initiate an upgrade, export your routing rules and note your threshold settings — you will need to re-enter them in the new deployment.
Item Limit Behavior
When your tenant contains more items than your tier allows, VaultGuard360 sorts items by days remaining (ascending) before truncating to the tier limit. The most urgent expiring items are always included within the limit.