Upgrading VaultGuard360 from Trial to Professional, or from Professional to Enterprise, deploys a new Azure Managed Application in a new resource group. Configuration is not migrated automatically. Use the built-in export/import tool to transfer your settings to the new deployment.
Plan Comparison
| Feature | Trial | Professional | Enterprise |
|---|---|---|---|
| Price | Free (14 days) | $499/month | $1,499/month |
| Subscriptions | 15 | 30 | Unlimited |
| Items tracked | 200 | 2,000 | Unlimited |
| Email notifications | Yes | Yes | Yes |
| Webhook integrations | Yes | Yes | Yes |
| Team routing | Yes | Yes | Yes |
| Custom email domain | Yes | Yes | Yes |
| Private Endpoints | No | No | Yes |
| VNet integration | No | No | Yes |
| AMPLS (Azure Monitor) | No | No | Yes |
| SLA | None | 99.5% | 99.5% |
Note: Trial includes the full Professional feature set. There are no restricted features during the trial — you are evaluating the same product you would purchase.
Why Upgrade Requires a New Deployment
VaultGuard360 is deployed as an Azure Managed Application. Each tier is a separate Marketplace offer plan with its own ARM template and managed resource group configuration. The Azure Marketplace model does not support in-place plan upgrades — a new deployment is required.
This also means that scan history and audit logs stored in the Trial deployment's Table Storage are not migrated to the new deployment. Only configuration (thresholds, routing rules, email settings) can be transferred using the export/import tool.
Step 1: Export Configuration from Your Current Deployment
Before upgrading, export your current configuration. This step works even after a trial has expired.
From the Dashboard (if still active):
- Open the VaultGuard360 dashboard
- Navigate to Settings → Export Configuration
- Save the downloaded JSON file
From the API (works after trial expiry):
curl -s https://<your-current-function-app>.azurewebsites.net/api/export \
-H "Authorization: Bearer <your-token>" \
-o vaultguard360-config.json
The export includes routing rules, thresholds, reminder mode, and email provider settings. Webhook URLs, secrets, and SMTP credentials are excluded and must be re-entered after importing.
Step 2: Subscribe via Azure Marketplace
- Go to the Azure Marketplace listing for VaultGuard360
- Select Professional ($499/month) or Enterprise ($1,499/month)
- Complete the subscription purchase
- You will receive a confirmation email with deployment instructions
Step 3: Deploy the Managed Application
- In the Azure portal, navigate to Marketplace → My purchases
- Click Deploy on your VaultGuard360 subscription
- Complete the deployment wizard:
- Select or create a resource group
- Choose your Azure region
- Configure identity settings (user-assigned managed identity)
- For Enterprise: configure VNet, subnet, and private endpoint settings
- Wait for deployment to complete (approximately 5–10 minutes)
Step 4: Assign RBAC Roles on the New Deployment
The new deployment's managed identity needs the Key Vault Reader role on each subscription you want to monitor. This is the same setup as the original Trial deployment.
# Get the principal ID of the new managed identity
PRINCIPAL_ID=$(az identity show \
--name id-vaultguard360 \
--resource-group <new-managed-rg> \
--query principalId -o tsv)
# Assign Key Vault Reader at subscription scope
az role assignment create \
--assignee $PRINCIPAL_ID \
--role "Key Vault Reader" \
--scope /subscriptions/<subscription-id>
Note: Role assignment propagation can take 5–10 minutes. Scans that run before propagation completes will show missing vaults.
Step 5: Import Configuration
From the Dashboard:
- Open the new VaultGuard360 dashboard
- Navigate to Settings → Import Configuration
- Upload the JSON file from Step 1
From the API:
curl -s https://<your-new-function-app>.azurewebsites.net/api/import \
-X POST \
-H "Authorization: Bearer <your-token>" \
-H "Content-Type: application/json" \
-d @vaultguard360-config.json
Step 6: Reconfigure Secrets and Credentials
The following items are excluded from the export for security and must be re-entered manually:
| Item | Where to configure |
|---|---|
| Webhook URLs and secrets | Notifications → Webhooks |
| Teams webhook URL | Notifications → Teams Webhook |
| Per-route webhook URLs | Team Routing (edit each route) |
| SMTP password / app password | Email Configuration |
| Custom email sender domain | Custom Domain (re-verify DNS) |
Step 7: Verify and Test
- Check
/api/healthor the dashboard for deployment status - Click Run Scan Now to trigger a manual scan
- Verify subscriptions and Key Vaults appear in scan results
- Navigate to Email Setup → Test Connection and confirm test email delivery
- Test each webhook channel using the Test button in Notifications
Known Limitations
- Scan history is not migrated. The new deployment starts with an empty scan history. Historical trend data from the Trial deployment is not available in the new deployment.
- Audit logs are not migrated. Audit logs are tied to the Table Storage account in the original deployment's managed resource group. Keep the Trial deployment running (or export logs via the Azure portal) if you need to retain historical audit evidence.
- Custom email domain requires re-verification. The new deployment has a new ACS resource, so DNS TXT records for domain verification will be different. Update your DNS records after re-configuring the custom domain.
Need Help?
Contact support@sentinelvaultsystems.com with your subscription ID and a description of your issue.