This article provides the details of the minimum permissions needed to be able to install EvOps in Azure Stack deployments in Active Directory Federation Services (AD FS) or Azure Active Directory (Azure AD).

Azure Stack Deployment Types

Active Directory Federation Services (AD FS)

Account and permission prerequisites for EvOps installation on an Azure Stack AD FS deployment:

The installation script will prompt twice for credentials, but when installing EvOps on an Azure Stack AD FS deployment you should use the Cloud Admin credentials both times.

Azure Active Directory (Azure AD)

Account and permission prerequisites for EvOps installation on an Azure Stack Azure AD deployment:

* Starting with EvOps version 1.1905.1423 and later, it is optional having Azure AD Global Administrator permissions during the installation script execution. Instead, an Azure AD consent URL is generated as a part of the script output. This URL can then be sent to an Azure AD Global Administrator for approval. This needs to be completed before starting to configure EvOps. 

The installation script will prompt twice for credentials, in the first prompt you use the Cloud Admin credentials and second prompt the Service Admin credentials.

Applications and Service Principals Provisioned

During the installation of EvOps, an application registration and service principal are created. They will be provided directory read permission and will be used by EvOps Resource Provider. The generated names of the application and service principal follow the naming standard:
Azure Stack - EvOps - <GUID>

These objects are created in Azure AD or ADFS depending on Azure Stack deployment environment.