Before deploying, make sure you have read Cloud deployment considerations.

Safeguard for Privileged Sessions (SPS) can be run in the cloud using Azure. A version of SPS is available in the Azure Marketplace and an Azure Virtual Machine (VM) is required. See Windows virtual machines in Azure for details of setting up your VM.

Disk size considerations

SPS deploys with a minimal OS disk size. You should increase the size of the OS disk based on your estimated usage and budget. SPS on hardware comes with 1TB of disk. You can use more or less than this depending on how many assets, accounts, and daily users you expect to have. 500GB is a minimal production disk size and 2TB is the maximum.

1. Deploy SPS.
2. Verify you can log in.
3. Shut down the VM (stopped and deallocated).
4. Follow Microsoft’s guidance for increasing the disk size: How to expand the OS drive of a virtual machine.

When you start up the VM, SPS automatically resizes the OS disk volume to use the available space.

Azure security considerations

Running SPS in Azure comes with some security considerations that do not apply to the hardware appliance. One Identity recommends:

• Do not give Safeguard a public IP address.
• Use the Azure key vault to encrypt the disk.

• Limit access within Azure to the Safeguard virtual machine. SPS in Azure cannot protect against rogue Administrators in the same way the hardware appliance can.

Static IP address recommended

Configure the SPS VM with a static IP address in Azure. In Azure, the IP address must not change after the VM is deployed. If you need to change the IP address, take a backup, deploy again, and restore the backup. You can script the VM deploy to pick up an existing virtual NIC with the IP address configuration. For details, see Microsoft’s Virtual Network documentation.

Deployment steps

SPS is deployed from the Azure Marketplace. Azure automatically licenses the operating system during the deployment with an Azure KMS.

The Azure base image includes the required configuration necessary to deploy into Azure following Microsoft's guidance, Prepare a Windows VHD or VHDX to upload to Azure.

1. Log into the Azure portal.
2. Under Azure services, click Create a resource.

3. Search for “One Identity Safeguard for Privileged Sessions” and click the tile.

4. On the One Identity Safeguard for Privileged Sessions screen, click Create.
5. Advance through the resource creation screens. Considerations follow:
   • For small deployments, it is recommended to choose at least VM size Standard D2s v3. Larger deployments warrant larger sizing choices.
   • You must set an administrator user name and password as part of the image creation, however, SPS will disable this account during initial setup.
   • Set public inbound ports to None.
   • Choose your Windows licensing option.
   • Make sure to enable boot diagnostics and the serial kiosk. The Azure Serial console will be used to provide access to the Safeguard Recovery Kiosk.
6. Once you are finished configuring the VM, click Create. Azure will deploy the SPS virtual machine.
7. When the virtual machine deployment is finished, SPS will automatically start initializing and configuring itself for the first use. This usually takes between 5-30 minutes, depending on the VM sizing. During initialization, Safeguard will enable the firewall and disable remote access to the VM. You can monitor the progress of initialization from the Azure Serial console. While the initialization is running, do not log in to the VM or power off or restart the VM.
8. When initialization is complete, you will see the Safeguard Recovery (Serial) Kiosk on the Azure Serial console screen.
9. Log in to the appliance via the web using the default username and password admin / Admin123. You should change the admin password immediately. For more information, see Change password.