Deploy Arcade on Azure
Arcade is available on the Azure Marketplace as a managed application. You deploy it into your own Azure subscription, and Arcade operates it for you across . Your data and the services that run Arcade stay in your subscription; Arcade handles upgrades and day-to-day operations.
The Azure Marketplace deployment is a full platform deployment — it stands up the complete Arcade platform in your cloud. If you’d rather manage the platform yourself on an existing Kubernetes cluster, see Self-host with Helm.
Outcomes
A production Arcade platform running in your own Azure subscription, deployed from the Azure Marketplace and operated by Arcade.
You will Learn
- What the managed application deploys into your subscription
- How to set up your identity provider
- How to deploy the offer and verify it
Prerequisites
- An Azure subscription with the Owner role
- A Microsoft Entra tenant (personal Microsoft aren’t supported)
- An OIDC identity provider
What gets deployed
The managed application provisions everything Arcade needs inside a managed resource group in your subscription:
| Azure service | Role |
|---|---|
| Azure Kubernetes Service (AKS) | Private cluster that runs the Arcade services (Engine, Coordinator, Worker, Dashboard, Experience API) |
| Azure Key Vault | Stores database, cache, identity-provider, and encryption secrets |
| Azure Database for PostgreSQL Flexible Server | Primary datastore |
| Azure Managed Redis | Cache and streams |
| Virtual network + private endpoints | Private networking with NAT-gateway egress |
| Log Analytics, Container Insights, Microsoft Defender | Monitoring and security |
Before you begin
- Subscription and role. Deploy into a subscription where you hold the Owner role, with the spending limit turned off.
- Microsoft Entra . The deployment federates sign-in to your Entra tenant. Personal Microsoft aren’t supported.
- Region and quota. Confirm the offer is available in your target region and that the subscription has enough vCPU quota to run an AKS cluster. If you’re unsure, contact us.
- DNS. You can bring your own custom domain or use an Arcade-managed hostname assigned at deploy time.
- Identity provider. Have an OIDC identity provider ready — see the next section.
Set up your identity provider
Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so you set it up before you deploy.
- Register an application with your identity provider. Arcade works with Microsoft Entra ID, Okta, Auth0, or Keycloak, or any standards-compliant OIDC provider.
- Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer
https://login.microsoftonline.com/<tenant-id>/v2.0. - Provide the client ID, client secret, and issuer in the create form.
- After the deployment finishes, register the redirect URI from the deployment output — typically
https://coordinator.<your-hostname>/signin/oidc/callback— as a redirect (reply) URI on the application, then sign in to the dashboard.
AADSTS500113: No reply address is registered for the application, the redirect URI has not been added to your identity provider application yet. Add it and try again.Deploy from the Azure Marketplace
Find the Arcade offer
Open the Arcade offering in the Azure Marketplace and select Get it now. Choose the standard plan for a production, single- deployment.
Complete the create form
Fill in the deployment form:
- Region and resource group for the deployment
- Your identity provider’s client ID, client secret, and issuer from the previous section
- Optionally, a model provider (for example, Anthropic) to enable chat in the dashboard
Deploy
Start the deployment. It takes roughly 30–45 minutes to provision the cluster and supporting services. When it finishes, the deployment outputs your hostname, dashboard URL, and redirect URI.
Register the redirect URI
Add the redirect URI from the deployment output to your identity provider application, as described in Set up your identity provider.
Verify your deployment
Open the dashboard URL from the deployment output and sign in with your identity provider. A successful sign-in confirms the platform is running and your identity provider is wired up correctly.
Next steps
- Create an MCP Gateway to scope and auth for each client
- Connect an MCP client to a gateway URL
- Set up a User Source to authenticate end with your own identity provider