Skip to content
English
Customer portal Sign in
  • There are no suggestions because the search field is empty.

What are the prerequisites for Copilot deployment?

This article provides the necessary conditions and setup steps for deploying the CAEVES Copilot Connector in your Azure environment. Completing these steps ensures a successful deployment and proper functioning of the connector.

Understand the requirements

Before deploying the Copilot Connector, the following must be in place:

CAEVES SaaS Subscription

  • Must be activated in the customer’s Azure tenant.

CAEVES Instance

  • Includes the associated Storage Account containing:

    • Object Storage Container with the files to index.

    • Metadata (Process) Table, used by Copilot to provide extended search and indexing capabilities.

    • Config Table, used by Copilot connector to store persistant configuration, i.e. filtering rules.

Storage Account Role Assignments

  • The CAEVES-associated Storage Account must have explicit role assignments for the User-Assigned Managed Identity. See next steps for detailed information.

User Permissions

  • Ability to create a User-Assigned Managed Identity within the Azure subscription.

  • Ability to set the required IAM Role Assignments for the managed identity at both the resource and subscription level.

  • Ability to configure Graph API permissions (Graph Owner) for the managed identity using the Azure CLI.

  • Ability to provision a new Azure Container Instance and assign the managed identity via the Azure Resource Manager.

Getting Started

Step 1: Create User Assigned Managed Identity

  1. In the Azure Portal use the search bar to look for “Managed Identities”

    Step0

  2. Click “Create” to create a new user-assigned Managed Identity

    Step2-1

  3. Provide project details information in the “Basics” section.

    1. Select Subscription: "The Subcription contatining CAEVES instance"

    2. Resource Group: "The  resource group for CAEVES instance"

    3. Name: mi-caeves-connector-[xxxx]
    4. Region: "The region of the CAEVES instance"
    5. Isolation Scope: None
    Step3-1

  4. Click “Review + create” to create the User Assigned Managed Identity

    step4-1

Step 2: Set IAM Role Assignments

To ensure the CAEVES Copilot Connector can index the designated CAEVES Storage Account, and corresponding Object Storage containers, and Metadata (process) tables, follow the steps below to add the Storage Table Data Contributor role to the User Assigned Managed Identity on the Storage Account associated with FCG instance.

  1. Navigate to your Storage Account, i.e. weci02

    Step5

  2. Click on “Access Control (IAM)”

    Step6

  3. Click “Add Role Assignment”

    1. Search for “Storage Table Data Contributor”

    2. Click “Next” to assign members to the IAM Role

    Step7

  4. Select “Managed Identity”

    Step8

  5. Click “Select Members”

    1. Select the Subscription of choice

    2. Select “User-assigned managed identity”

    3. Search the managed identity you created in step 1 of this guide

    4. Click “Select” to select the managed identity

    Step9

  6. Click “Review + assign”, and confirm to add the role assignment

    Step10

Confirm the Role Assignment has been committed:

Step11

Step 3: Install Required Modules (Run from Azure CLI)

Run the following commands from the Azure CLI (PowerShell) in order to install the required modules in your Microsoft Azure Subscription

First, set the context of your subscription to the same subscription as you are running the CAEVES solution, specifically where you want to run the Azure Container Instance connecting Microsoft Graph.

Set-AzContext -Subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Install Microsoft Graph service under the scope of the current user and connect in preparation of setting the Managed Identity Role permissions.

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All, RoleManagement.ReadWrite.Directory

Step12

Step 4: Set Managed Identity Role permissions for Graph

Run the following commands from the Azure CLI (PowerShell) in order to configure the required Graph API Permissions in your Microsoft Azure Subscription.

First, we need to ensure that the Managed Identity is added as a “Graph Owner” to the subscription.

  1. Navigate to your Subscription, i.e. Azure Sponsorship Main 2

  2. Click on “Access Control (IAM)”

    step13

  3. Click “Add Role Assignment”

    1. Search for “Graph Owner”

    2. Click “Next” to assign members to the IAM Role

    step14

  4. Select “Managed Identity”

  5. Click “Select Members”

    1. Select the Subscription of choice

    2. Select “User-assigned managed identity”

    3. Search the managed identity you created in step 1 of this guide

    4. Click “Select” to select the managed identity

    step15

  6. Click “Review + assign”

    step16

  7. Confirm to add the role assignment

    step17
 

The next step in the process is to set the following Graph API permissions to the Managed Identity.

Microsoft Graph API Permissions:

  • ExternalConnection.Read.All

  • ExternalConnection.ReadWrite.OwnedBy

  • ExternalItem.Read.All

  • ExternalItem.ReadWrite.OwnedBy

  • User.Read.All

  • Group.Read.All

Run the following commands from the Azure CLI (PowerShell) where the Managed Identity Object (Principal) ID is "From the previous steps"

You can find this in the following location.

step18

# Connect to Microsoft Graph with appropriate permissions
# You need at least: AppRoleAssignment.ReadWrite.All and Directory.Read.All
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All","Directory.Read.All"
Select-MgProfile -Name beta  # optional, but ensures latest features

# Define your managed identity (Object ID of the Service Principal)
$managedIdentityId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Microsoft Graph app ID (always this one)
$graphAppId = "00000003-0000-0000-c000-000000000000"

# Get Microsoft Graph service principal (the target resource)
$msgraph = Get-MgServicePrincipal -Filter "AppId eq '$graphAppId'"

if (-not $msgraph) {
    Write-Error "❌ Could not find Microsoft Graph Service Principal. Make sure you're connected with the right permissions."
    return
}

# Define the roles to assign
$roleNames = @(
    "ExternalConnection.Read.All",
    "ExternalConnection.ReadWrite.OwnedBy",
    "ExternalItem.Read.All",
    "ExternalItem.ReadWrite.OwnedBy",
    "User.Read.All",
    "Group.Read.All"
)

foreach ($roleName in $roleNames) {
    Write-Host "Assigning role: $roleName ..." -ForegroundColor Cyan

    $role = $msgraph.AppRoles | Where-Object { $_.Value -eq $roleName -and $_.AllowedMemberTypes -contains "Application" }

    if (-not $role) {
        Write-Warning "⚠️ Role '$roleName' not found on Microsoft Graph."
        continue
    }

    try {
        # Create the app role assignment
        New-MgServicePrincipalAppRoleAssignment `
            -ServicePrincipalId $managedIdentityId `
            -PrincipalId $managedIdentityId `
            -ResourceId $msgraph.Id `
            -AppRoleId $role.Id

        Write-Host "✅ Assigned '$roleName' successfully."
    }
    catch {
        Write-Warning "⚠️ Failed to assign '$roleName': $($_.Exception.Message)"
    }
}

Write-Host "All role assignments attempted."

step19

Note: if Graph is not installed in your Azure Subscription, install the Graph Module through PowerShell CLI

You are ready to deploy the CAEVES Co-Pilot connector