Apporetum API Environment Variables Configuration Guide
This document outlines the environment variables that can be configured for the Apporetum API service running on Azure App Service. These settings control various aspects of the Apporetum platform including authentication, database connections, mail services, timings and integrations.
Accessing Environment Variables in Azure App Serviceβ
Navigate to Environment Settingsβ
- Open Azure Portal: Go to portal.azure.com
- Find Your App Service: Navigate to your Apporetum API App Service resource
- Access Configuration: In the left menu, click on Settings β Configuration
- View Variables: Click on the Application settings tab to see all environment variables
Setting a New Environment Variableβ
- In the Application settings tab, click + New application setting
- Enter the Name (use the exact setting name from the table below)
- Enter the Value according to your environment requirements
- Click OK to save the setting
- Click Save at the top of the Configuration page
- Restart the App Service for changes to take effect
Updating an Existing Environment Variableβ
- In the Application settings list, find the setting you want to modify
- Click on the setting name or the Edit button (pencil icon)
- Update the Value field
- Click OK to confirm changes
- Click Save at the top of the Configuration page
- Restart the App Service for changes to take effect
Environment Variables Used For Organisation Specific Configurationβ
| Grouping | Setting | Type | Default Value | Description |
|---|---|---|---|---|
| ApplicationInsights | APPINSIGHTS_INSTRUMENTATIONKEY | GUID | -- | Unique identifier that connects the app to a specific Application Insights resource |
| ApplicationInsights | APPLICATIONINSIGHTS_CONNECTION_STRING | String | -- | Connection string containing endpoint and instrumentation key for Application Insights (preferred over instrumentation key alone) |
| ApplicationInsights | ApplicationInsightsAgent_EXTENSION_VERSION | Integer | ~2 | Version of the Application Insights agent extension (~2 means latest 2.x version) |
| ApplicationInsights | ConnectionString | String | -- | Application Insights connection string |
| ApplicationInsights | LogLevel | String | Information | Default logging level for Application Insights |
| Azure | ApiUrl | URL | https://apporetum-xxxx-api-xxxxxxx.azurewebsites.net/ | Base URL for the Apporetum API service |
| Azure | ApplicationId | GUID | GUID | Entra ID application ID |
| Azure | AppServiceName | String | apporetum-xxxx-api-xxxxxxx | Name of the Azure App Service resource name |
| Azure | AspResourceName | String | apporetum-xxxx-asp-xxxxxxx | The App Service Plan resource name |
| Azure | ClientId | GUID | GUID | Entra ID application client ID |
| Azure | ClientUrl | URL | https://default-client-asp.apporetum.com/ | Base URL for the Apporetum client application |
| Azure | EnterpriseObjectId | GUID | GUID | Object ID for the enterprise application |
| Azure | Instance | URL | https://login.microsoftonline.com/ | Entra ID authentication endpoint |
| Azure | KeyVaultBaseUri | URL | https://apporetumyyyykvxxxxxxx.vault.azure.net/ | Base URI for Azure Key Vault |
| Azure | KeyVaultConnectionString | String | RunAs=App;AppId=GUID | Connection string for Key Vault (alternative to URI) |
| Azure | ManagedIdentityId | GUID | GUID | Resource ID for the managed identity |
| Azure | ManagedIdentityName | String | default/id/to/managed/identity | Path to the managed identity resource |
| Azure | RegistrationObjectId | GUID | GUID | Object ID for the app registration |
| Azure | ResourceGroup | String | apporetum-client-rg | Azure resource group name where Apporetum is installed |
| Azure | SpaResourceName | String | apporetum-xxxx-spa-xxxxxxx | Name of the Azure App Service resource name |
| Azure | SQlGeneralResourceName | String | apporetum-xxxx-sql-svr-xxxxxxx | Name of the SQL Server resource |
| Azure | SubscriptionId | GUID | GUID | Azure subscription identifier |
| Azure | TenantId | GUID | GUID | Entra ID tenant identifier |
| Azure | VNetType | String | none | Virtual network configuration type |
| Database | ConnectionString | String | -- | Primary database connection string |
| EventGrid | DomainUrl | URL | -- | Azure Event Grid domain URL |
| EventGrid | UseEventGridSchema | Boolean | false | Whether to use Event Grid schema format. If set to false it will use cloud events schema. |
| EventGrid | PublishEvents:Identity | Boolean | -- | Allows identity events to be published to EventGrid |
| EventGrid | PublishEvents:Access | Boolean | -- | Allows EventGrid events to be published |
| General | APMGroupPrefix | String | APPORETUM_ | Prefix used for Apporetum-managed groups in Entra ID |
| General | AllowExcludedAccountManagement | Boolean | false | Whether to allow management of excluded user accounts |
| General | AutoAddManagers | Boolean | true | Whether to automatically add users who are linked as managers to the managers role to allow them to log into Apporetum |
| General | CustomTitle | String | Apporetum Access Manager | Custom title displayed in the application interface |
| General | EnableProvisioningService | Boolean | false | Enables integration to the Azure provisioning service |
| General | ManagerGroupId | GUID | null | Optional GUID for the manager group if not using the system assigned group |
| General | OrganisationName | String | Apporetum | Name of the organization using the platform |
| CallbackBaseUrl | URL | -- | Base URL for email callbacks | |
| ProxyEmailUser | String | -- | Proxy email user if using email proxy | |
| ReplyToAddr | String | -- | Reply-to email address | |
| ReplyToName | String | -- | Reply-to display name | |
| OrganisationSignUpFlowConfig | CleanUserPrincipalNameOnSignUp | Boolean | true | Sets the upn to a human readable string with the signup email rather than a GUID |
| OrganisationSignUpFlowConfig | FlowKeys | Dictionary<GUID, String> | -- | Key Secret pairs for the Entra External ID Sign Up Sign In flow |
| OrganisationSignUpFlowConfig | ErrorMessages | String | Various | Custom error messages for sign-up flow failures |
| Provisioning | JobId | -- | API2AAD.TenantId.GUID | Resource linkage to the Entra ID provisioning API |
| Provisioning | ServicePrincipalId | GUID | -- | GUID of the service principal of the provisioning service |
| Scheduler | ConnectionString | String | -- | Scheduler database connection string |
| Storage | AccountName | String | -- | Azure Storage account name |
| Storage | AccountKey | String | BlobStorageKey | Name of the storage account secret in the Key Vault |
| Timings | AccessAcceptanceDelay | Integer | 4 | Delay in hours for access acceptance processing |
| Timings | ApprovalPeriod | Integer | 21 | Number of days for approval workflows |
| Timings | DeleteAccountAfterXDays | Integer | 3 | Days to wait before deleting expired accounts |
| Timings | DigestibleEmailGroupedSendDelay | Integer | 5 | Delay in minutes for grouped email sending |
| Timings | ExpiryGracePeriod | Integer | 7 | Grace period in days before access expires |
| Timings | InviteValidityPeriod | Integer | 14 | Number of days an invitation remains valid |
| Timings | RemoveReconBlobsAfterXDays | Integer | 91 | Days to retain reconciliation blob data |
| Timings | TestEmailCoolDown | Float | 0.5 | Cooldown period in minutes for test emails |
| Timings | TimeZoneId | String | AUS Eastern Standard Time | Time zone for the application operations |
Environment Variables Used For Infrastructure Specific Configurationsβ
| Grouping | Setting | Type | Default Value | Description |
|---|---|---|---|---|
| Azure | CallbackPath | String | /signin-oidc | OAuth callback path for authentication |
| Azure | ClientSecret | String | ClientSecret | Entra ID application client secret |
| Azure | Domain | URL | default-client-domain.apporetum.com | Custom domain for the application |
| Database | Secret | String | DbSecret | Key Vault secret name for database connection |
| Database | UseInMemoryDatabase | Boolean | false | Whether to use in-memory database for testing |
| EventGrid | SecretName | String | -- | Key Vault secret name for Event Grid access key if not using managed identities |
| General | AllowedHosts | IP Adresses or URL | * | Specifies which hosts are allowed to access the application |
| General | BaseExternalIntegrationRoleId | GUID | 8d163ed1-e497-4d1c-99a6-40b040d84655 | GUID for the base external integration role |
| General | BaseUserRoleId | GUID | e2d18f97-8edf-4537-b652-99ec23db0e24 | GUID for the base user role in the system |
| General | GlobalAdminRoleId | GUID | 1eac9493-d0ac-43a1-902a-7dffefb8b682 | GUID for the global administrator role |
| General | ManagerGroupId | GUID | null | Optional GUID for the manager group |
| General | PreventSeedGroups | Boolean | false | Whether to prevent automatic creation of seed groups |
| IdentityStateEngine | ConnectionString | String | ISEDbSecret | Key Vault secret name for ISE database |
| IdentityStateEngine | PreventBackgroundProcessing | Boolean | false | Whether to disable ISE background processing |
| IdentityStateEngine | UseInMemoryDatabase | Boolean | false | Whether ISE uses in-memory database |
| Licence | Certificate | LicenceCertificate | String | Key Vault secret name for license certificate |
| Licence | Token | String | LicenceToken | Key Vault secret name for license token |
| Licence | Url | URL | https://license.apporetum.com | Primary license validation URL |
| Licence | Url2 | URL | https://license2.apporetum.com | Secondary license validation URL |
| Secret | String | MailSecret | Key Vault secret name for mail configuration | |
| SendFromAddr | String | -- | Email address for outgoing emails | |
| SendFromName | String | -- | Display name for outgoing emails | |
| ServerName | String | -- | SMTP server hostname | |
| ServerPort | Integer | 22 | SMTP server port number | |
| ServerUsername | String | -- | SMTP server authentication username | |
| Proxy | Password | String | -- | Proxy authentication password |
| Proxy | Port | Integer | -- | Proxy server port if proxy is enabled |
| Proxy | Url | URL | -- | Proxy server URL if proxy is enabled |
| Proxy | UseGraphAuthProxy | Boolean | false | Whether to use proxy for Graph authentication |
| Proxy | UseGraphProxy | Boolean | false | Whether to use proxy for Microsoft Graph calls |
| Proxy | UseIdentityProxy | Boolean | false | Whether to use proxy for identity operations |
| Proxy | UseLicenseProxy | Boolean | false | Whether to use proxy for license validation |
| Proxy | Username | String | -- | Proxy authentication username |
| Scheduler | CompletedJobExpiry | Time | 5.00:00:00 | Time to retain completed job records (5 days) |
| Scheduler | ExpirationCheckInterval | Time | 0.00:05:00 | Interval for checking job expiration (5 minutes) |
| Scheduler | FailedJobExpiry | Time | 30.00:00:00 | Time to retain failed job records (30 days) |
| Scheduler | PreventBackgroundProcessing | Boolean | false | Whether to disable background job processing |
| Scheduler | Secret | String | SchedulerDbSecret | Key Vault secret name for scheduler database |
| Scheduler | UseInMemoryDatabase | Boolean | false | Whether scheduler uses in-memory database |
| Storage | AuditContainer | String | audits | Container name for audit logs |
| Storage | BulkInviteContainer | String | bulkinvites | Container name for bulk invitation files |
| Storage | ImageContainer | String | images | Container name for image assets |
| Storage | PreventPublicContainers | Boolean | false | Whether to prevent public container access |
| Timings | TimeZoneId | String | AUS Eastern Standard Time | Time zone for the application operations |
Important Notesβ
- Restart Required: After making any configuration changes, restart the App Service for changes to take effect
- Key Vault Integration: Many settings reference Azure Key Vault secrets for secure storage of sensitive values
- Default Values: The values shown are examples - replace with your environment-specific values
- GUIDs: Replace all GUID placeholders (00000000-0000-0000-0000-000000000000) with actual Azure resource IDs
- URLs: Update all URLs to match your specific domain and Azure resource names