Skip to main content
Azure NetApp Files

Set up a Microsoft Entra application

Contributors netapp-ahibbard
PDFs

The NetApp Console needs permissions to set up and manage Azure NetApp Files. You can grant the required permissions to an Azure account by creating and setting up a Microsoft Entra application and by obtaining the Azure credentials that the Console needs.

Step 1: Create the application

Create a Microsoft Entra application and service principal that the Console can use for role-based access control.

Before you begin

You must have the right permissions in Azure to create an Active Directory application and to assign the application to a role. For details, refer to Microsoft Azure Documentation: Required permissions.

Steps

  1. From the Azure portal, open the Microsoft Entra ID service.

    A screenshot that shows the Active Directory service in Microsoft Azure.

  2. In the menu, select App registrations.

  3. Create the application:

    1. Select New registration.

    2. Specify details about the application:

      • Name: Enter a name for the application.

      • Account type: Select an account type (any will work with the Console).

      • Redirect URI: You can leave this blank.

    3. Select Register.

  4. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Microsoft Entra ID.

    When you create the Azure NetApp Files system in the Console, you need to provide the application (client) ID and the directory (tenant) ID for the application. The Console uses the IDs to programmatically sign in.

  5. Create a client secret for the application so the Console can use it to authenticate with Microsoft Entra ID:

    1. Select Certificates & secrets > New client secret.

    2. Provide a description of the secret and a duration.

    3. Select Add.

    4. Copy the value of the client secret.

      A screenshot of the Azure portal that shows a client secret for the Microsoft Entra service principal.

Result

Your AD application is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in the Console when you add an Azure NetApp Files system.

Step 2: Assign the app to a role

You must bind the service principal to your Azure subscription and assign it a custom role that has the required permissions.

Steps

  1. Create a custom role in Azure.

    The following steps describe how to create the role from the Azure portal.

    1. Open the subscription and select Access control (IAM).

    2. Select Add > Add custom role.

      A screenshot that shows the steps to add a custom role in the Azure portal.

    3. In the Basics tab, enter a name and description for the role.

    4. Select JSON then Edit which appears at the top right of the JSON format.

    5. Add the following permissions under actions:

      "actions": [
    "Microsoft.NetApp/*",
    "Microsoft.Resources/resources/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
    "Microsoft.Resources/subscriptions/resourceGroups/write",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Insights/Metrics/Read"
    ],

    6. Select Save > Next then Create.

  2. Assign the application to the role that you just created:

    1. From the Azure portal, open Subscriptions.

    2. Select the subscription.

    3. Select Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the custom role that you created then Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Select Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here's an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application then Select.

      • Select Next.

    6. Select Review + assign.

      The service principal for the Console now has the required Azure permissions for that subscription.

Step 3: Add the credentials to the Console

When you create the Azure NetApp Files system, you're prompted to select the credentials associated with the service principal. You need to add these credentials to the Console before you create the system.

Steps

  1. In the left navigation of the Console, select Administration > Credentials.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > NetApp Console.

    2. Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:

      • Client Secret

      • Application (client) ID

      • Directory (tenant) ID

        You should have captured this information when you created the AD application.

    3. Review: Confirm the details about the new credentials then select Add.