> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/cloud/web-interface/administration/configuration-and-security/access-and-authentication/encryption-service/configure-devolutions-cloud-encryption-service-using-an-azure-template.md).

# Configure Devolutions Cloud encryption service using an Azure template

Using an Azure template to configure the encryption service is the recommended method, but specific use cases may call for the [Devolutions Cloud Services method](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/configure-devolutions-cloud-encryption-using-the-devolutions-cloud-services/) instead.

### Requirements

The following prerequisites are necessary to enable and configure the encryption service:

* A configured and active [Single Sign-On (SSO) setup](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/).
* An application identity in Devolutions Cloud (see section below).
* A trusted SSL certificate.
* A reachable network port within the local network and, if applicable, from the internet.
* An active Azure services subscription (see section below).

#### Application identity permissions

[Create an application identity](https://docs.devolutions.net/cloud/web-interface/administration/management/application-users/manage-application-users/#create-an-application-identity) and assign it the following [system permissions](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/system-permissions/):

* ***Manage users and user groups***.
* ***Manage system configuration*** (includes system permissions, system settings, and IP allowlists).

{% hint style="info" %}
If you are using an IP allowlist, the encryption service IP must be added as the allowed IP. Failure to do so will prevent the service from communicating with Devolutions Cloud, rendering it non-functional.
{% endhint %}

#### Azure services subscription

You need to have a subscription to Azure services to set up the Encryption service with an Azure template. If you do not have one, first follow these instructions:

1. Log in to your [Microsoft Azure Portal](https://azure.microsoft.com/) account.
2. Select ***Subscriptions*** in the ***Azure services***. If you do not see it, search for it in the search bar at the top of the page or click on ***More services*** to show other services. This service can be found under the ***Management and governance*** services category.
3. Click ***Add*** then select the ***Pay-As-You-Go*** subscription offer.
4. Enter the required information and sign up to the service.

### Encryption service setup

Make sure the requirements are fulfilled before moving forward, and plan every change in advance in order to avoid configuration issues, in which case it is better to deactivate the feature altogether while working on a fix.

1. In Devolutions Cloud, go to ***Administration – Authentication – Encryption service*** and click on ***Generate Azure template***.
2. Copy the generated template.
3. On the [Microsoft Azure Portal home page](https://azure.microsoft.com/), select ***Deploy a custom template*** in the ***Azure services***. If you do not see it, search for it in the search bar at the top of the page or click on ***More services*** to show other services. This service can be found under the ***General*** services category.
4. Click on ***Build your own template in the editor***.
5. Paste the generated Azure template you obtained from Devolutions Cloud into the Azure template editor, replacing any pre-existing content within the editor.
6. Click ***Save***.
7. On the ***Custom deployment*** page, configure your information as outlined below:
   * ***Subscription***: Select a subscription if none is selected.
   * ***Resource group***: Select or create a resource group if none is selected.
   * ***App Name*** and ***App Service Plan Name***: Leave the default names or change them according to your preferences.
   * ***Devolutions Cloud URL***: Ensure that it is set to the URL of your Devolutions Cloud.
   * ***Application Identity Key*** and ***Application Identity Secret***: Enter your application identity key and secret in the corresponding fields. Your application identity should have the ***Manage system configuration*** and ***Manage users and user groups*** permissions, as stated in the *Application identity permission* section.
8. Click on ***Review + create***.
9. Click on ***Create***.
10. Upon completion of the deployment, which may take a few seconds, click on ***Go to resource group***.
11. Select your new ***App Service*** in the list.
12. Copy the given ***Default domain*** (*<https://your-app-name.azurewebsites.net>*) or the ***Custom domain*** (*<https://yourdomain.com>*) if you decided to create one.
13. Add this domain to the list of redirect URIs in your enterprise application. Follow the instructions below to guide you through this process:
    1. Go back to the [Microsoft Azure Portal home page](https://azure.microsoft.com/) and select ***Enterprise applications*** in the ***Azure services***. If you do not see it, click on ***More services*** to show other services.
    2. Select your application from the list.
    3. In the left menu, click on ***Properties***.
    4. In the text at the top of the page, click on ***application registration***.
    5. In the left menu, click on ***Authentication***.
    6. Click on ***Add URI*** and paste the domain in the redirect URI field. Add **/auth/callback** at the end of the URL and ensure it starts with **https\://**. The end result should look like this: `https://your-app-name.azurewebsites.net/auth/callback`.
    7. Click ***Save***.
14. In Devolutions Cloud, go back to ***Administration – Authentication – Encryption service*** and enable the encryption service if not already done.
15. Paste your default or custom domain in the ***Encryption Service*** URL field, ensure that it starts with **https\://**. The end result should look like this: *<https://your-app-name.azurewebsites.net>*. This is where the encryption service will listen for incoming requests. This URL or IP address only needs to be reachable by clients logging in using the encryption service.
16. Test the connection. If the connection fails, check the validity of the information you have entered and try again. If you are still experiencing connection problems, please contact our help desk technicians at <service@devolutions.net>.

All users from your SSO provider can now log in and gain access to your Devolutions Cloud instance automatically, bypassing the need for invitations. It is also not necessary for users to have a private key set up to use Devolutions Cloud. The server operates on a self-hosted basis; it therefore plays a vital role in the infrastructure. Should the server experience downtime or fail to run, users lacking private keys will encounter issues connecting to Devolutions Cloud.

#### See also

* [Encryption service – Frequently Asked Questions](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/#faq)
* [Encryption service – Troubleshooting](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/#troubleshooting)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/cloud/web-interface/administration/configuration-and-security/access-and-authentication/encryption-service/configure-devolutions-cloud-encryption-service-using-an-azure-template.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.