Set up an Azure AD application

Contributors netapp-bcammett

Cloud Manager needs permissions to set up and manage Azure NetApp Files. You can grant the required permissions to an Azure account by creating and setting up an Azure Active Directory (AD) application and by obtaining the Azure credentials that Cloud Manager needs.

Create the AD application

Create an Azure AD application and service principal that Cloud Manager can use for role-based access control.

Before you begin

You must have the right permissions in Azure to create an Active Directory application and to assign the application to a role. For details, refer to Microsoft Azure Documentation: Required permissions.

Steps

  1. From the Azure portal, open the Azure Active Directory service.

    A screenshot that shows the Active Directory service in Microsoft Azure.

  2. In the menu, click App registrations.

  3. Create the application:

    1. Click New registration.

    2. Specify details about the application:

      • Name: Enter a name for the application.

      • Account type: Select an account type (any will work with Cloud Manager).

      • Redirect URI: You can leave this blank.

    3. Click Register.

  4. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Azure Active Directory.

    When you create the Azure NetApp Files working environment in Cloud Manager, you need to provide the application (client) ID and the directory (tenant) ID for the application. Cloud Manager uses the IDs to programmatically sign in.

  5. Create a client secret for the application so Cloud Manager can use it to authenticate with Azure AD:

    1. Click Certificates & secrets > New client secret.

    2. Provide a description of the secret and a duration.

    3. Click Add.

    4. Copy the value of the client secret.

      A screenshot of the Azure portal that shows a client secret for the Azure AD service principal.

Result

Your AD application is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in Cloud Manager when you add an Azure NetApp Files working environment.

Assign the app to a role

You must bind the service principal to your Azure subscription and assign it a custom role that has the required permissions.

Steps

  1. Create a custom role in Azure.

    The following steps describe how to create the role from the Azure portal.

    1. Open the subscription and click Access control (IAM).

    2. Click Add > Add custom role.

      A screenshot that shows the steps to add a custom role in the Azure portal.

    3. In the Basics tab, enter a name and description for the role.

    4. Click JSON and click Edit which appears at the top right of the JSON format.

    5. Add the following permission under actions:

      "actions": [
    "Microsoft.NetApp/*",
    ],

    6. Click Save, click Next, and then click Create.

  2. Now assign the application to the role that you just created:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Click Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the custom role that you created and click Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Click Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here’s an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and click Select.

      • Click Next.

    6. Click Review + assign.

      The service principal for Cloud Manager now has the required Azure permissions for that subscription.