Link Azure Subscription Using App Credentials

Azure subscriptions can be linked to Nerdio Manager using the context of the currently signed in user or by using preconfigured client app registration with proper access to the subscription that is being linked. This outlines the prerequisites for linking an Azure subscription using the client app credentials method.

Before you can begin the linking process, you must have completed all the following prerequisites:

• Performed the app registration (service principal) in the Entra ID tenant that contains the subscription that is being linked.

  • Obtained the Client App ID.

  • Obtained the Client App Secret.

• Granted the following minimum permissions to the service principal:

  • Reader on Azure subscription.

  • Backup reader on Azure subscription.

  • Contributor on virtual network(s) where host VMs are to be created.

  • Contributor on resource group(s) where host VMs are to be created.

• Obtained the Entra ID Tenant ID.

• Obtained the Azure Subscription ID.

To link an Azure subscription using Client App:

1. Sign in the Entra ID portal as Subscription Owner into the Azure tenant that contains the subscription that is being linked.

   Note: In some environments, you may need Application Administrator or Global Administrator permissions to register a new application.

2. Navigate to App registrations.

3. Select + New registration.

4. Enter the following information:

   • Name: Type the user-facing display name for the application.

   • Supported Account Types: Select Accounts in this organizational directory only.

   • Redirect URI: No Redirect URI is needed.

5. Once you have entered the desired information, select Register.

6. Copy the Application (client) ID to be used for linking in Nerdio Manager.

7. From the menu, select Certificates & secrets.

8. Select + New client secret.

9. Enter the following information:

   • Description: Type the description.

   • Expires: Set the expiration time.

     Note: It is recommended that the expiration time be greater than 1 year.

10. Once you have entered the desired information, select Add.

11. Copy the Value of the Client App Secret to be used for linking in Nerdio Manager.

12. In the Azure portal, navigate to Subscriptions > Your subscription > Access control (IAM).

13. Select + Add > Add role assignment.

14. Assign both Reader and Backup Reader roles to the App Registration created above.

15. For each resource group being linked to Nerdio Manager, navigate to Resource groups > Your resource group > Access control (IAM).

16. Select Add > Add role assignment.

17. Assign the Contributor role to the App Registration created above.

18. For each virtual network being linked to Nerdio Manager, navigate to Virtual networks > Your virtual network > Access control (IAM).

19. Select Add > Add role assignment.

20. Assign the Contributor role to the App Registration created above.

21. Navigate to Microsoft Entra ID and make a note of the Tenant ID.

22. Navigate to Subscriptions > Your Subscription and make a note of the Subscription ID.

    Note: You are now ready to link this Azure subscription in Nerdio Manager. See Link Multiple Azure Sovereign Clouds for details.