Skip to main content
If you have an existing Azure app in Opal that has not been configured to manage infrastructure resources, you can enable infrastructure management under the app’s Setup tab in Opal.
To manage access to Azure Subscriptions and Resource Groups, you must grant additional permissions to the Opal application.

Requirements

You must have admin access to the Azure root management group.

1. Create Opal Service Role

  1. In the Azure Portal, navigate to Tenant Root Management Group -> Access Control (IAM) -> Add -> Add custom role.
  1. Go to JSON > Edit. Replace the default definition with the following snippet in the Definition tab, substituting in your management group ID. Note: The roleName must be Opal Service Role. Use the Explanation tab to see why permissions are required, and the Definition tab for a valid definition to copy and paste.
  1. Click Next, and then Create to create the role.

2. Create Role Assignment

  1. In the Azure portal, navigate to Tenant Root Management Group -> Access control (IAM) -> Add role assignment.
  1. Under Role, select the Opal Service Role (found under “Privileged administrator roles”).
  2. Select the Members tab. Add the Opal application as a member.
  3. Select the Conditions tab -> Select roles and principals.
  1. Select Open advanced condition editor. Toggle Editor type from “Visual” to “Code”.
  2. Paste in the following code, substituting in your Opal app’s Object ID, and save. This condition prevents the Opal application from having the ability to escalate its own access by assigning roles to itself.
  1. Go to Review + assign. Complete assigning the role by clicking Review + assign.

3. Allow sessions for SQL Databases [Optional]

Follow instructions to add Azure Databases if you want to enable Opal to manage SQL Database logins.
Last modified on November 5, 2025