StratoLens Installation Guide

Deploy StratoLens to your Azure environment from the Azure Marketplace. This guide covers prerequisites, permissions, and the four-step installation from Marketplace provisioning through first sign-in.

Quick Start

Sign in to the Azure Portal with an account that has Owner on the target subscription and Global Administrator in Entra ID
Open the StratoLens listing in the Azure Portal and click Create (or preview the listing first)
Complete the Marketplace wizard (subscription, resource group, company name, region) and submit the deployment
Wait for the Marketplace deployment to finish (typically 10–15 minutes)
Open the deployed Container App URL. You'll land on a StratoLens placeholder page with the command to deploy the application layer
Run that command in Azure Cloud Shell (PowerShell mode)
Grant admin consent when prompted, then sign in to StratoLens and run your first scan

Heads up: you'll pick two resource groups

StratoLens is an Azure Managed Application, and the Marketplace wizard asks for two distinct resource groups. They are not the same thing:

Resource group (Basics tab) — holds the StratoLens managed application resource itself.
Managed Resource Group (Basics tab, further down) — a separate, automatically-created group where the actual infrastructure (Container App, Cosmos DB, Key Vault, etc.) is provisioned. Defaults to a timestamped name like mrg-stratolens-20260421151643.

After deployment, look in the Managed Resource Group to find the running StratoLens infrastructure.

Need help with the install?

Email us at contact@strato-lens.com with any questions or if you'd like a hand walking through the installation. We're happy to help.

Permission Requirements

StratoLens installation requires elevated Microsoft Entra ID permissions to configure authentication and enable tenant-wide scanning capabilities. These elevated permissions are only required during the initial installation process and are not needed for ongoing operation.

Recommended: Global Administrator + Subscription Owner

Global Administrator in Entra ID plus Owner on the target subscription is strongly recommended for the simplest installation experience. This combination can complete all steps without interruption.

Required Access Summary

At minimum, you need:

Requirement	Access Level
Target Subscription	Owner
Microsoft Entra ID	Global Administrator (recommended)
Tenant Root Management Group	Ability to assign RBAC roles (Global Admins typically have this via Elevate Access)

Why These Permissions Are Needed

Permission	Purpose
Subscription Owner	Deploy Azure resources via the Marketplace offer and grant role assignments to the managed identity (Owner required, Contributor is not sufficient)
App Registration + Consent	StratoLens uses Azure AD authentication; the app registration requires admin consent for Microsoft Graph permissions (User.Read.All, Group.Read.All) for RBAC
Managed Identity Graph Permissions	The managed identity needs to read Azure AD applications, users, and groups to provide RBAC visibility in scans

Advanced: Least Privilege Role Breakdown

For organizations requiring least-privilege access, here's the minimum role combination:

Phase	Required Role	Purpose
Infrastructure	Owner (subscription)	Deploy Azure resources and assign roles to managed identity
App Registration	Application Developer	Create app registration and configure SPA redirect URIs
Admin Consent	Privileged Role Administrator	Grant admin consent for Graph permissions via Portal
Managed Identity	Privileged Role Administrator	Assign Graph API permissions to managed identity
Management Group	Global Administrator	Elevate access and assign Reader at root MG
Admin User Setup	Contributor (resource group)	Create initial admin user in Cosmos DB
Container Deployment	Contributor (resource group)	Deploy container images

Important Limitations

Cloud Application Administrator cannot grant admin consent for Microsoft Graph application permissions (Microsoft limitation)
Application Developer can create app registrations but cannot grant admin consent
Global Administrator is the only role that can elevate access to assign roles at the tenant root management group

Alternative: Manual Scope Assignment

If you cannot or do not wish to assign Reader at the tenant root management group, you can manually grant the managed identity (id-{company}-stratolens-scanner) Reader access to specific subscriptions or management groups you want StratoLens to discover.

Elevate Access to the Tenant Root

Global Administrators do not have access to manage Azure subscriptions and management groups by default. The setup script needs to assign the Reader role to the StratoLens scanner managed identity at the Tenant Root Management Group, which requires this access. If you're a Global Administrator, you can grant it to yourself by toggling on Access management for Azure resources in your tenant's properties.

When you need this

Skip this section if your account already has role-assignment rights at the tenant root or on the management groups and subscriptions you want StratoLens to scan. The Show test script button on the StratoLens Setup page (covered in Step 2) confirms whether you can assign Reader at the tenant root before you run the full setup.

Toggle on Access management for Azure resources

Sign in to the Azure Portal with a Global Administrator account.
Navigate to Microsoft Entra ID.
In the left navigation, scroll down and click Properties.
Find the Access management for Azure resources section.
Toggle the switch to Yes, then click Save.

Figure. Microsoft Entra ID → Properties. Toggle Access management for Azure resources to Yes to grant your account User Access Administrator at the tenant root.

Once enabled, your account is granted the User Access Administrator role at the tenant root scope, which allows you to assign roles on the Tenant Root Management Group and every subscription and management group beneath it. The setup script will use this access to assign Reader to the scanner managed identity.

Turn it back off when you're done

Elevated access is intended to be temporary. After the StratoLens setup script finishes successfully, return to the same toggle and switch it back to No. Your existing roles aren't affected; only the elevated tenant-root assignment is removed.

1Deploy from Azure Marketplace

Open the StratoLens listing on the Azure Marketplace, choose the subscription you want to use (StratoLens currently offers a single plan, selected by default), and click Create to launch the deployment wizard.

Open in Azure Portal Preview listing on Azure Marketplace

The portal link takes you straight to the Create wizard (you'll be asked to sign in). The marketplace link is public and shows the listing, pricing, and screenshots without sign-in.

Figure 1. StratoLens (preview) listing on the Azure Marketplace. Pick your Subscription, then click Create.

Marketplace Wizard Inputs

The Create StratoLens wizard has three tabs: Basics, Resource Names, and Review + submit.

Basics tab

Fill in the project and instance details:

Field	Description
Subscription	The target Azure subscription where StratoLens will be deployed
Resource group	New or existing resource group. This is where the managed application object itself is registered
Region	Azure region for the deployment
Company Name	3–12 lowercase alphanumeric characters. Used to pre-populate resource names on the next tab
Managed Resource Group	Separate resource group that holds the StratoLens-managed resources. Defaults to a timestamped name like `mrg-stratolens-20260421151643`; it's created automatically and is distinct from the Resource group above. You can rename it on the wizard if you have your own naming convention

Why two resource groups?

StratoLens is deployed as an Azure Managed Application. The Resource group holds the managed application object itself: a lightweight pointer Azure uses to track your subscription to the offer. The Managed Resource Group is where all of the actual infrastructure (Container App, Cosmos DB, Key Vault, etc.) is provisioned. Separating the two lets Azure manage lifecycle and updates of the underlying resources on your behalf while keeping them clearly scoped.

Figure 2a. Basics tab of the Create StratoLens wizard.

Resource Names tab

The second tab shows the names of each Azure resource the offer will create. All names are pre-populated from your Company Name (for example, Company Name contoso produces ca-contoso-stratolens, cosmos-contoso-stratolens, etc.). You can customize any of them if your organization has naming conventions that differ from the defaults.

Figure 2b. Resource Names tab. Names are pre-populated from Company Name and can be customized.

On the Review + submit tab, review your selections and click Create. Azure will provision the Container Apps environment, Container App, Scheduler Job, Cosmos DB, Key Vault, Log Analytics workspace, and the managed identity into the Managed Resource Group you chose.

Figure 3. Deployed resources in the Managed Resource Group once the Marketplace deployment finishes.

Estimated Time

Marketplace deployment typically takes 10–15 minutes.

2Run the Setup Script

Once the Marketplace deployment finishes, open the newly-provisioned Container App in the Azure Portal and navigate to its Application Url. You'll land on the StratoLens Setuppage, which contains a one-line PowerShell command pre-filled with all of your deployment's values (resource group, subscription ID, container app name, managed identity, Key Vault, and more).

Figure 4. Container App Overview. The Application Url is on the right side of the Essentials pane. Click it to open the StratoLens Setup page.

Figure 5. The StratoLens Setup page. Review the prerequisites, click Copy to Clipboard, then paste into Azure Cloud Shell in PowerShell mode.

Before You Run the Command: Prerequisites

Have all three of the following ready before you click Copy to Clipboard on the Setup page:

Requirement	Details
Signed-in identity	Global Administrator in Entra ID and Owner on the subscription where StratoLens was installed. The same account must be signed in to both the Azure Portal and Cloud Shell.
Azure Cloud Shell, PowerShell mode	Open Cloud Shell from `portal.azure.com`. The shell-type dropdown in the top-left of the Cloud Shell toolbar must be set to PowerShell, not Bash.
Network access	Cloud Shell needs outbound access to `api.strato-lens.com`to download the setup script. Azure Cloud Shell allows this by default, so most tenants won't need to do anything. If the script fails to download, check with your network admins to confirm outbound access isn't being blocked.

Verify your permissions before running the setup

The Setup page includes a Show test script button next to the Global Administrator prerequisite. Click it to reveal a one-line PowerShell command, copy it, and paste it into Azure Cloud Shell (PowerShell mode) before you run the main setup command. The script confirms you can elevate access and assign Reader at the tenant root, which is exactly what the setup script will attempt. A successful run prints PASS: can assign Reader at tenant root (Owner).

Bash will not work

The setup command is a PowerShell script. Make sure the Cloud Shell dropdown shows PowerShell before pasting; pasting into Bash will fail.

Running the Setup Command

On the StratoLens Setup page, click Copy to Clipboard to copy the pre-filled command.
Open Azure Cloud Shell from the Azure Portal and confirm the shell type is PowerShell.
Paste the command into Cloud Shell and press Enter.
Wait for the script to finish. It prints progress as it runs.

What the Script Does

Running the setup command performs four actions in your tenant:

Creates a StratoLens admin user. Sets up the initial administrator inside the StratoLens app. They'll be able to add additional users from within StratoLens once it's up.
Registers two Azure AD apps. Creates one Entra ID app registration for signing in to StratoLens (with the required Microsoft Graph API permissions), and a second one named StratoLens Notifications that StratoLens uses to send email notifications.
Assigns managed identity permissions. Grants the scanner managed identity Reader access across your tenant so StratoLens can discover resources.
Installs the StratoLens container. Replaces the Setup page with the full StratoLens application.

Admin consent is still required after the script completes

When the script finishes, it will print instructions for granting admin consent on the newly-created app registration. This is a manual step in the Azure Portal and is covered in Step 3 below. Without it, StratoLens will not be able to authenticate users or scan your environment.

The Setup page replaces itself

Once the script finishes installing the StratoLens container, the Setup page you started from will be replaced by the StratoLens application. Refresh the URL after the script completes to reach your dashboard.

Estimated Time

The setup script typically runs for 3–5 minutes.

When the setup script finishes, it prints a DEPLOYMENT COMPLETE – ADMIN CONSENT REQUIRED banner with two Azure Portal URLs, one for each app registration the script created. You must grant admin consent on both:

Authentication app (used for signing in to StratoLens). Permissions: User.Read.All, Group.Read.All.
Email notifications app (named StratoLens Notifications). Permissions: User.Read, Mail.Send, offline_access.

Figure 6. The setup script's Final Steps output. Each appIdlink opens a different app registration's consent page.

For each URL the script prints:

Open the link in the Azure Portal, signed in as a user who can grant admin consent (Global Administrator or Privileged Role Administrator).
Review the permissions, then click the blue Grant admin consent for [Your Organization] button.
Click Yes to confirm. The Status column will switch from Not granted to a green check for each permission.

Figure 7. API permissions page of an app registration. Click Grant admin consent for [Your Organization], then repeat on both the authentication app and the StratoLens Notifications app.

Grant consent on BOTH app registrations

It's easy to grant consent on the first app and forget the second. Sign-in will still work, but email notifications won't. Open and consent to each URL the script printed.

If the script shows a tenant-root role warning

Before the admin-consent banner, the script prints a summary. If you see ⚠️ Managed Identity permissions assigned (see warning below) instead of a green check, the Readerrole couldn't be assigned on the tenant root management group. StratoLens won't be able to discover subscriptions or resources until this is fixed.

Fix it with one of these:

Elevate access (requires Global Admin): Azure Portal → Microsoft Entra ID → Properties → Access management for Azure resources → set to Yes → Save, then re-run the setup script.
Manual assignment: Azure Portal → Management Groups → Tenant Root Group → Access control (IAM) → Add role assignment → Role: Reader, Members: the StratoLens scanner managed identity.

4Access StratoLens & First-Time Setup

Once the application deploy completes, your StratoLens URL is displayed in the script output. You can also find it in the Azure Portal by navigating to the Container App named ca-{company}-stratolens and viewing the Application Url on the Overview page.

Sign in with your Entra ID (Azure AD) credentials. The user who ran the setup script in Step 2 is the initial StratoLens administrator and has full access. What follows is a walkthrough of the first-time setup flow.

1. Sign in and land on the Dashboard

After sign-in you arrive at the Executive Dashboard. A banner at the top of the page notes that registration is still incomplete.

Figure 8. First launch. The banner reads "Registration incomplete, click here to register your StratoLens instance."

2. Register your StratoLens instance

Click the registration banner. You'll be routed to Settings → General. Fill in Company Name and Technical Contact (Billing Contact is optional) and click Save Changes. This information is used for license management and support.

Figure 9. Settings → General. Provide your customer information, then Save Changes.

3. Accept the Terms of Service

Once registration is saved, the registration banner clears and a new banner prompts you to accept the Terms of Service. Clicking it opens the Terms of Service modal. Review the terms and click I Accept to continue.

Figure 10. After registration, a Terms of Service banner appears at the top of every page.

4. (Optional) Verify your license

Back in Settings → General, the License Status panel now shows your license state: Install ID, API reachability, expiry date, and days remaining. Click Check License Status to refresh.

Figure 11. License Status panel after registration. Use Check License Status to refresh against the StratoLens licensing API.

5. Run your first scan

Navigate to Scans → Overview and click Start New Scan. StratoLens will check registration and Terms first (re-prompting if either is missing), then verify the scanner identity's permissions.

Figure 12. Scans → Overview. Click Start New Scan under Scan Controls to kick off your first scan.

Once the scan starts, the Scan Controls tile flips to Scan in Progress with a Cancel option, and a progress panel below shows live stages (Resource Graph Changes, Subscription Batches, Total Changes Collected) with a percentage complete. You can leave the page while it runs.

Figure 13. Live scan progress with per-stage counters and a percent-complete indicator.

About scanner permissions

In most installations these permissions are already in place: the setup script in Step 2 assigns the Reader role to the scanner managed identity (id-{company}-stratolens-scanner) at the tenant root management group, which gives StratoLens visibility into everything in your tenant. If that succeeded (no warning at the end of the script), you have nothing to do here.

If StratoLens detects missing permissions when you click Start New Scan, an Access Warning modal appears. That's the signal to grant Reader manually. You don't have to use the tenant root: Reader on any management group or subscription will work, and StratoLens will scan whatever that scope includes. Continue Anyway will still run the scan, but results are limited to what the identity can currently see.

6. Post-scan backfill (first scan only)

When the first scan completes, a Background Data Collection Started modal appears. It explains that background backfills kick off within about 15 minutes for Activity Log (up to 80 days), Cost Data (up to 180 days), and Resource Graph history (up to 14 days). The modal is dismissible with Close or View Scan History. Backfills run asynchronously; you can continue using StratoLens while they complete.

Figure 14. The Background Data Collection Started modal that appears after your first scan.

7. (Optional) Review billing

With a scan under your belt, the Billing Configuration card on Settings → General will now show accurate plan details, including your price and next billing date. StratoLens is billed through your Azure subscription via the Azure Marketplace, and billing is enabled by default. Every StratoLens deployment includes a 28-day free trial; no charges are incurred during the trial regardless of this toggle.

Figure 15. Billing Configuration on Settings → General. Toggle Billing Enabled on or off, pick a Billing Cycle, then click Save Changes.

To change billing:

Toggle Billing Enabled off if you want to pause billing, or leave it on to be billed automatically once the trial ends.
Set Billing Cycle to Monthly or Annual to match how you want to be invoiced.
Click Save Changes.

What happens if billing is disabled after the trial?

If the trial expires and billing is disabled, the scanner stops running. Everything else keeps working: previously discovered resources, scan history, dashboards, and configuration stay fully accessible. The data just gets stale until you re-enable billing and a new scan runs. See the pricing page for more details.

You're up and running

StratoLens is registered, licensed, Terms are accepted, and your first scan is queued. From here, head to Scans → Overview to enable automatic scanning, or start exploring results on the Dashboard as data lands.

What Gets Deployed

The Marketplace offer provisions seven resources into your Managed Resource Group. The names shown below are the defaults derived from your Company Name. You can override any of them on the wizard's Resource Names tab.

Resource	Default Name
Container Apps Environment	`cae-{company}-stratolens`
Container App (Web)	`ca-{company}-stratolens`
Container App Job (Scheduler)	`job-{company}-stratolens`
Cosmos DB Account	`cosmos-{company}-stratolens`
Key Vault	`kv-{company}-stratolens`
Log Analytics Workspace	`log-{company}-stratolens`
User-Assigned Managed Identity	`id-{company}-stratolens-scanner`

Troubleshooting

Marketplace Deployment Fails

Verify you have Owner permissions on the target subscription
Check Azure quota limits for the selected region (Container Apps, Cosmos DB)
Review the deployment's error details in the Azure Portal under Deployments for the target resource group

Placeholder Page Shows an Error or Doesn't Load

The Container App may still be starting. Wait 2–3 minutes and refresh
Confirm the Container App shows status Running in the Azure Portal
Verify the Application Url on the Overview page matches the URL you're opening

Application Deploy Script Fails

Ensure you're running Azure Cloud Shell in PowerShell mode (not Bash)
Confirm you're signed in to the same tenant and subscription where the Marketplace deployment ran
Check internet connectivity and that https://api.strato-lens.com is reachable

Invalid or Missing Deploy Command

Copy the full command from the placeholder page. It's a single line and must be pasted in its entirety
If the command is missing from the placeholder page, refresh after a few minutes; the Marketplace deployment may still be finalizing

Subscription Selection Issues

Run az login to authenticate
Verify you have access to the target subscription: az account list

Admin Consent Not Granted

Confirm you're signing in to the Azure Portal with a user that has permission to grant admin consent (Global Administrator or Privileged Role Administrator)
Navigate to the app registration created by the deployment, open API Permissions, and click Grant admin consent for [Your Organization]

Validation Errors

Company Name: Must be 3–12 characters, lowercase alphanumeric only
Region: Must be a valid Azure region (default: East US 2)