Set up an Azure AD application

BlueXP needs permissions to set up and manage Azure NetApp Files. You can grant the required permissions to an Azure account by creating and setting up an Azure Active Directory (AD) application and by obtaining the Azure credentials that BlueXP needs.

Create the AD application

Create an Azure AD application and service principal that BlueXP can use for role-based access control.

Before you begin

You must have the right permissions in Azure to create an Active Directory application and to assign the application to a role. For details, refer to Microsoft Azure Documentation: Required permissions.

  1. From the Azure portal, open the Azure Active Directory service.

    A screenshot that shows the Active Directory service in Microsoft Azure.

  2. In the menu, click App registrations.

  3. Create the application:

    1. Click New registration.

    2. Specify details about the application:

      • Name: Enter a name for the application.

      • Account type: Select an account type (any will work with BlueXP).

      • Redirect URI: You can leave this blank.

    3. Click Register.

  4. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Azure Active Directory.

    When you create the Azure NetApp Files working environment in BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

  5. Create a client secret for the application so BlueXP can use it to authenticate with Azure AD:

    1. Click Certificates & secrets > New client secret.

    2. Provide a description of the secret and a duration.

    3. Click Add.

    4. Copy the value of the client secret.

      A screenshot of the Azure portal that shows a client secret for the Azure AD service principal.


Your AD application is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in BlueXP when you add an Azure NetApp Files working environment.

Assign the app to a role

You must bind the service principal to your Azure subscription and assign it a custom role that has the required permissions.

  1. Create a custom role in Azure.

    The following steps describe how to create the role from the Azure portal.

    1. Open the subscription and click Access control (IAM).

    2. Click Add > Add custom role.

      A screenshot that shows the steps to add a custom role in the Azure portal.

    3. In the Basics tab, enter a name and description for the role.

    4. Click JSON and click Edit which appears at the top right of the JSON format.

    5. Add the following permissions under actions:

      "actions": [
    6. Click Save, click Next, and then click Create.

  2. Now assign the application to the role that you just created:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Click Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the custom role that you created and click Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Click Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here’s an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and click Select.

      • Click Next.

    6. Click Review + assign.

      The service principal for BlueXP now has the required Azure permissions for that subscription.

Add the credentials to BlueXP

When you create the Azure NetApp Files working environment, you’re prompted to select the credentials associated with the service principal. You need to add these credentials to BlueXP before you create the working environment.

  1. In the upper right of the BlueXP console, click the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Click Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > BlueXP.

    2. Define Credentials: Enter information about the Azure Active Directory service principal that grants the required permissions:

      • Client Secret

      • Application (client) ID

      • Directory (tenant) ID

        You should have captured this information when you created the AD application.

    3. Review: Confirm the details about the new credentials and click Add.