Getting Started

Quick Start

Deploy VaultGuard360 from Azure Marketplace and start monitoring Key Vault expiry in under 15 minutes.

Get VaultGuard360 monitoring your Azure Key Vaults in five steps. Each step links to a detailed guide if you need it.

Before You Begin

You need an Azure subscription with Contributor role (or Owner) on the resource group where VaultGuard360 will be deployed. See Prerequisites for the full requirements list.

Step 1: Deploy from Azure Marketplace

Open the Azure Marketplace listing and click Get It Now. The ARM template wizard creates the Function App, Storage Account, Azure Communication Services, and Application Insights automatically in roughly 10 minutes.

When the deployment finishes, copy the dashboard URL from the Outputs tab.

See Deploying from Marketplace for a full walkthrough.

Step 2: Assign Key Vault Permissions

VaultGuard360 uses a user-assigned managed identity (id-vaultguard360) to scan your Key Vaults. You need to grant it the Key Vault Reader RBAC role — at subscription scope on every subscription you want to monitor.

The easiest way is through the Setup page in the dashboard, which shows exactly which permissions are missing and links you to the Azure portal assignment flow.

Note: Key Vault Reader is required in addition to Reader. Reader alone does not grant access to vault items.

See Key Vault Permissions for CLI commands and scope options.

Step 3: Configure Alert Thresholds

VaultGuard360 ships with sensible defaults — 30 days warning, 14 days severe, 7 days critical — that work for most teams. If your organization has different lead times for certificate renewals, adjust them now under Dashboard > Settings.

See Alert Thresholds for threshold options and reminder frequency settings.

Step 4: Set Up Notifications

Email via Azure Communication Services (ACS) is configured automatically during deployment. Open Dashboard > Email Configuration, enter a default recipient address, and click Send Test Email to confirm delivery.

For Teams, Slack, PagerDuty, ServiceNow, or custom webhooks, see Notification Integrations.

To route alerts for different subscriptions to different teams or email addresses, see Team Routing.

Step 5: Monitor

Return to the Dashboard. If permissions are assigned and at least one Key Vault exists in your subscriptions, VaultGuard360 runs its first scheduled scan at the time you selected in the marketplace wizard (default: 9:00 AM UTC daily).

To run an immediate scan, click Run Scan Now on the dashboard.

Items expiring within your threshold windows appear in the Expiring Items table, color-coded by severity.

Troubleshooting

  • Dashboard shows a loading spinner after deployment — The Function App takes 20–40 seconds to warm up after a restart. Visit https://<your-func>.azurewebsites.net/api/health and wait for a 200 response, then reload the dashboard.
  • No vaults showing after the first scan — The managed identity likely has no Reader role on any subscription. Check https://<your-func>.azurewebsites.net/api/permission-status for a per-subscription RBAC breakdown.
  • Trial expired message — After 14 days the trial hard-locks. Redeploy from Marketplace using a paid plan to resume (no data loss on the new deployment after reconfiguring settings).