Note
FourVision Apps are deployed and managed via the Azure Portal as of new infrastructure deployments on all initial deployments starting from June 2024.
App Deployment
FourVision Apps are delivered as a Platform-as-a-Service (PaaS) product, leveraging an Azure Managed Application backend. The application is installed in the customer’s tenant, where data resides. Importantly, these apps are not Software-as-a-Service (SaaS) products hosted on FourVision’s side. The deployment process is highly automated, and maintenance windows can be configured for each app.
The FourVision Managed Application Connector, which you can find in the Microsoft Store, plays a crucial role in establishing delegated access control. When you use this connector, it links directly to the Managed Resource Group (MRG) associated with your Production or Sandbox environment. This connection ensures secure hosting within your own tenant.
Sizing and scaling
Fourvision Web Apps are running on the Microsoft Azure Platform, Microsoft is committed to an availability of 99.9% per month of the Service. Please find details on the deployed sizes and scales in the Technical Architecture Overview above.
Azure Marketplace
To obtain the Fourvision Apps you need to prepare the tenant subscription for receiving the app.
Important
Please make sure to enable the following resource providers on your subscription:
- microsoft.insights
- Microsoft.OperationalInsights
- Microsoft.Web
- Microsoft.Authorization
- Microsoft.Network
- Microsoft.KeyVault
- Microsoft.ManagedIdentity
- Microsoft.ManagedServices
- Microsoft.ServiceBus
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.ServiceLinker
Please use the Microsoft description on enabling these resource providers.
Consider any policies been active that might block deployments of these assets, as part of the solution we use a private network to secure the traffic between the webhost and backend database, make sure that you have the ability in your subscription to enroll the networking components and Network Watcher is enabled for your subscription.
Installation
You will need a proper account to perform the actions during described implementation of this section. You will be asked to grant tenant-wide admin consent, this requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator.
WebApp access API
Before you can use the the Fourvision Web App Product you need to import and activate the Application API's using of the following links under the "Application Id" in the overview below based on your products to be used.
| Name | Application Id | Usage |
|---|---|---|
| FourVision Portal | 7f01cbe8-fa65-4d9e-9d8e-59c1950f9e16 | FourVision Management Portal User Access Control |
| Document Management | 38aeba73-92c9-45f9-8b85-99649b6b4bf6 | FourVision Web App User Access Control |
| Boarding | de771043-eb5f-4885-ad88-0995544efaf3 | FourVision Web App User Access Control |
| Payroll Interface | d2bdbf94-6a5c-4660-84d7-7dede68f4749 | FourVision Web App User Access Control |
| Performance Management | bbe0fce7-82d8-4da3-9107-37a6b8929d09 | FourVision Web App User Access Control |
| Request | 1d164022-a013-4964-b490-914da2381763 | FourVision Web App User Access Control |
| Timesheet Management | 393b6e67-0f1c-4190-92bc-02ed31966739 | FourVision Web App User Access Control |
Click on the option "Authorize the Application in your Microsoft Entra ID" in the License Detail dialog to get the Consent dialog.
When an application has been granted tenant-wide admin consent, all users will be able to sign into the app unless it has been configured to require user assignment. To restrict which users can sign into an application, require user assignment, and then assign users or groups to the application. For more information, see Methods for assigning users and groups.
Assign administrator to the WebApp
In Azure on the Enterprise Application node of the Microsoft Entra ID you can assign Users and Roles to the authorized Application in your Microsoft Entra ID.
Azure Installation
The following section is a step-by-step guide for deployment of the Fourvision Apps.
Navigate to the Fourvision portal and check your license eligibility.
Grant the imported API 'FourVision Portal' the 'Owner' role on this Subscription (during deployment):
Use one of the following links to start the Deployment of a "Production" or "Sandbox" environment:
The installation wizard contains 3 steps:
- Basics - This page provide all the basic azure settings
- Environment - The envirionment specifics used during deployment
- Review - Overview and Co-Admin permissions
Important
Before initiating the deployment, ensure that you have been assigned the Owner role at the subscription level.
Basics step
Fill in the basic azure details on the screen:
Subscription: The azure subscription to be used
Resource group: The placement of the Fourvision Managed Application (connector) you can put all deployments like "Production" and "Sandbox" in the same resource group as this is the reference placeholder for the overview of deployed environments and not containing the actual deployed assets.
Primary domain (Microsoft Entra ID): Specify your Primary domain name of the Microsoft Entra ID used for authentication.
Application Name: Provide a reference name for your managed application like "UTE" for a Ute sandbox
Managed Resource Group: Your application's managed resources are deployed in this resource group that will be created, it holds all the resources that are required by the managed application and are part of the serviced Co-Admin permission.
Example:
Environment step
In this step you provide details about the production or sandbox type environment.
Environment name: Specify your environment name shown in the application and about dialog of the apps
Select the version branch: You can set a Sandbox environment to use Preview versions. On Production environments you can not provide this value
FNO Connected Url: Specify your connected FNO environment URL, this can be updated in the apps after initial deployment
Example:
Review step
Make sure to check the "Co-Admin" agreement and proceed with the installation:
After this step the deployment will be initiated.
Tip
As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups within your directory. If insufficient rights are granted or if restriction policies are in place for ‘Microsoft.Resources/deployments/write’, deployments can fail. In such cases, consider elevating access for the Global Administrator.
Common deployment issues related to the tenant configuration:
- Cross-Tenant Access Settings: Verify that cross-tenant access settings are correctly configured. This involves setting up Azure AD B2B collaboration and ensuring that the vendor tenant is allowed to access resources in your tenant.
- Resource Group Permissions: Double-check the permissions at the resource group level. Sometimes, permissions might be set at a higher level (like the subscription) but not inherited correctly at the resource group level.
- Azure Policy and RBAC: Review any Azure policies or role-based access control (RBAC) settings that might be restricting access. Ensure that there are no policies blocking the vendor tenant from accessing the resource group.
- Audit Logs: Check the audit logs in Azure to see if there are any specific errors or warnings related to the access attempts. This can provide more detailed information on what might be going wrong.
Enable Interfaces
After installing a Fourvision Web App you can enable the interfaces to the connecting environment. By default the Fourvision Web Apps will use their Application Identity to interface to the supplied environments.