Managed in Azure: Dedicated Subscription

The simplest onboarding path. Create a new, empty Azure subscription exclusively for DocAI Fabric, grant us access, and we handle everything: resource provisioning, OpenAI and Document Intelligence setup, infrastructure configuration, and all future deployments.

Why a dedicated subscription?

A dedicated subscription contains nothing else: no existing resources, no other workloads, no sensitive data. Granting us Owner access to an empty subscription is low-risk by design: the only resources that will ever exist there are the ones we create for this application. This is also aligned with Azure best-practice guidance of one subscription per application workload.

If you need to deploy inside an existing shared subscription instead, see the Existing Subscription guide; it uses a more restricted service principal scoped to a single resource group.

Prerequisites

Before starting, make sure you have:

• OIDC subject value from us (we will provide the exact value for Step 3, e.g., repo:docaifabric/docaifabric:environment:customer-<YOUR_ID>)
• Azure CLI installed (install guide)
• Permission to create an Azure subscription, or access to a billing administrator who can create one for you
• Owner role on the new subscription once created
• Permission to register applications in Microsoft Entra ID

Verify your Entra ID permissions

After az login, check that you can create app registrations:

az ad app create --display-name "permission-test" 2>&1 && \
  az ad app delete --id $(az ad app list --display-name "permission-test" --query "[0].appId" -o tsv)

• Success (no errors) → you have the required permissions.
• "Insufficient privileges" → your organization restricts app registrations. Ask your IT / Entra ID administrator (someone with the Application Administrator or Global Administrator role) to complete Steps 2 and 3 on your behalf; the commands are the same.

---

Step 1: Create a New Azure Subscription

Create a fresh subscription dedicated to DocAI Fabric via the Azure Portal:

1. Go to Azure Portal → Cost Management + Billing → Subscriptions → Add
2. Choose an appropriate offer (the same offer type as your other subscriptions)
3. Name it something clear, e.g. <yourcompany>-docaifabric
4. Note the Subscription ID once it is created (you can also retrieve it from the CLI):

az login
az account show --query id -o tsv

Enterprise Agreement or Microsoft Customer Agreement

If your organisation uses an EA or MCA, your billing administrator may need to create the subscription. The process is the same: ask them to create a new subscription and assign you as Owner so you can complete the remaining steps.

---

Step 2: Create a Service Principal for Our CI/CD

We need a service principal in your Microsoft Entra (Azure AD) tenant to authenticate our CI/CD pipeline. You create it: it lives in your tenant, under your control.

az login

az ad sp create-for-rbac \
  --name "sp-docaifabric-<YOUR_COMPANY>" \
  --role Owner \
  --scopes "/subscriptions/<YOUR_SUBSCRIPTION_ID>"

This outputs JSON:

{
  "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "displayName": "sp-docaifabric-yourcompany",
  "password": "...",
  "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Note the appId (also called Client ID) and tenant values; you'll share these with us. The password is not needed and can be discarded; we authenticate with OIDC instead.

Can't grant Owner? Use two roles instead

If your organisation's policy restricts granting Owner, assign Contributor and User Access Administrator separately; this combination gives the same effective permissions:

az role assignment create \
  --assignee "<APP_ID>" \
  --role Contributor \
  --scope "/subscriptions/<YOUR_SUBSCRIPTION_ID>"

az role assignment create \
  --assignee "<APP_ID>" \
  --role "User Access Administrator" \
  --scope "/subscriptions/<YOUR_SUBSCRIPTION_ID>"

Both roles are required. (Contributor alone is not enough: we need User Access Administrator to configure the managed identity's access to storage and Key Vault during infrastructure setup.)

---

Step 3: Configure OIDC Federation

Add a federated credential so our CI/CD pipeline authenticates without storing any secrets:

# Get the App ID of the service principal you just created
APP_ID=$(az ad sp list \
  --display-name "sp-docaifabric-<YOUR_COMPANY>" \
  --query "[0].appId" -o tsv)

# Add the federated credential (we will provide the exact subject value)
az ad app federated-credential create \
  --id $APP_ID \
  --parameters '{
    "name": "github-deploy",
    "issuer": "https://token.actions.githubusercontent.com",
    "subject": "<SUBJECT_VALUE_WE_PROVIDE>",
    "audiences": ["api://AzureADTokenExchange"]
  }'

We will give you the exact subject value when we set up your environment.

---

Step 4: Choose Your Region

We can deploy into almost any Azure region. However, the regions below have the broadest AI model availability (including the latest GPT and transcription models), so we recommend choosing one of these if it works for your data residency requirements:

Region	Location
canadacentral	Canada Central
centralus	Central US
eastus2	East US 2
francecentral	France Central
swedencentral	Sweden Central

If none of these regions are acceptable (e.g. due to data residency policy), let us know your preferred region and we will confirm which features are available there.

---

Step 5: Share With Us

Item	Where to find it
Subscription ID	From Step 1 (or az account show --query id -o tsv)
Tenant ID	From the tenant field in Step 2 output
Service Principal App ID	From the appId field in Step 2 output
Azure Region	Your choice from Step 4

That's it. We will handle the rest, including creating a resource group (typically named docailab-<your-id>-rg) for all DocAI Fabric resources.

Azure OpenAI quota

We'll verify the quota available in your subscription as part of the initial provisioning. The default model we use (gpt-5.4-mini) is typically available immediately on new subscriptions without any quota request. If a quota request is needed (for the default model in your region, or for higher throughput later), we'll let you know and you can submit the request via Azure Portal → Quotas → Azure OpenAI (usually approved within a few hours).

Tenant-level policy restrictions

If your tenant has Azure Policy rules that restrict resource SKUs, regions, public networking, or specific resource providers, let us know in advance; these can block provisioning even when the service principal has Owner. A list of any applicable policies (or a sample deploy in a test resource group) helps us anticipate issues.

---

What We Provision on Your Behalf

Once you share the details above, we deploy everything into your subscription:

Resource	Purpose
Resource Group	Container for all resources
Azure OpenAI (GPT-5.4-mini)	Document classification and extraction
Reasoning model for Copilot (Anthropic Claude Sonnet 4.6 preferred, or Azure OpenAI GPT-5.4)	In-app AI Copilot answers and reasoning
Azure Document Intelligence	OCR processing
Container App	Application hosting
Container Registry	Docker images
Azure Managed Redis	Job queue and caching
Storage Account	Document storage
Key Vault	Secrets management
Log Analytics + App Insights	Logging and monitoring
Managed Identity	Secure, keyless resource access

All resources are created inside your subscription. You retain full ownership and can inspect, modify, or delete anything at any time.

Voice input for the Copilot is an optional add-on; see Enable Advanced Copilot if you want to enable it.

---

Audit and Observability

All logs, metrics, and audit trails live in your subscription; you control access and retention.

What you get	Where it lives	What it captures
Application Insights	Your resource group	App-level telemetry, errors, performance traces
Log Analytics workspace	Your resource group	Container console logs, request logs, custom queries via KQL
Azure Activity Log	Subscription-level (built in)	Every resource change, including deployments performed by our CI/CD, visible to you in real time

Default log retention is 30 days in Log Analytics. If you have compliance requirements for longer retention, let us know: we can configure archive tier or continuous export to Storage when we deploy.

We strongly recommend granting our team read-only log access via Azure Lighthouse so we can diagnose issues quickly without holding any credentials or asking you to forward log excerpts. The grant is scoped only to Log Analytics and monitoring data (no access to your documents, storage, or other resources) and it is fully revocable and visible in your Activity Log. See Application Logs for the exact setup. If your policy genuinely forbids cross-tenant delegation, we can fall back to log excerpts you share manually, but expect noticeably slower turnaround on support.

---

Next Steps

• After Deployment: application URL, custom domain, email invitations, updates
• Application Logs: monitoring and shared log access via Azure Lighthouse