Authentication and Access Management Between CloudSoda and Azure Cloud Storage – Cloud Soda

Available authentication methods between CloudSoda and Azure are changing because of Microsoft's best practice of not using storage account key authentication due to security concerns. We recommend that CloudSoda customers use the following process to create an IAM user for the CloudSoda application in order to integrate securely with Azure.

Register an Application

Log into the Azure console.
Navigate to App Registration by clicking Microsoft Entra ID > Add > App registration.

Alternatively, enter "app registration" in the search bar and select App registrations.

The Register an application screen loads.
Enter an application name, select the single tenant account type (first option), and click Register. Do not enter redirect URI values.
Copy the Application (client) ID and Directory (tenant) ID for later use.

Add Authorization Credentials to the Application

CloudSoda supports two authorization credential methods - using certificates and client secrets. Both methods are detailed below.

Using a Client Secret (Option A)

In the Client credentials section, click Add a certificate or secret.
Add the client secret to Microsoft Entra ID.
1. Click Certificates & secrets > Client secrets.
2. In the Client secrets section, click New Client Secret, enter a description, select an expiration duration, and click Add.
Copy the Value and Secret ID for later use.
Click Overview and verify that the Managed Application entry lists shows the application you created.

Using a Public Certificate (Option B)

In the Client credentials section, click Add a certificate or secret.
Create a public certificate. For details, see:
- Create a Self-Signed Public Certificate to Authenticate Your Application
- Certificate Display and Signing
Add the certificate to Microsoft Entra ID.
1. Click Certificates & secrets > Certificates.
2. In the Upload certificate section, upload the certificate (public key), enter a description, and click Add.
Copy the Certificate ID for future use.
Click Overview and verify that the Managed Application entry lists shows the application you created. Once verified, go to the next procedure, Assign Permissions to the Application.

Assign Permissions to the Application

Return to the storage account screen.
Click Access Control (IAM) > Role Assignments > Add > Add Role Assignment.

The Add role assignment screen displays.
Assign read-write permissions.
1. Search for and select Storage Blob Data Reader.
2. Search for and select Storage Blob Data Contributor.
Click Members > Select Members and search for the service principal name of the application.
Select the application name and click Add.
In the Members section, verify the Object ID is listed.

Configure CloudSoda

Log into CloudSoda.
Click Agent > Accessor > Create a New Accessor.
Create and configure the Accessor.
1. Enter an Accessor Name, Account, and Scope.
2. For the Accessor Type, select Azure.
3. For the Authorization Type, select Client Certificate Credential or Client Secret Credential, depending on the authorization credential method you used.
Edit the Accessor for the authorization credentials.
1. If using a public certificate:
  1. Enter the Tenant ID, Client ID, Certificate ID and Certificate. Additionally, if using a .p12 file, enter the Password.
  2. Click Configure Accessor.
2. If using a client secret:
  1. Enter the enter the Tenant ID, Client ID, Secret ID, and Secret.
  2. Click Configure Accessor
Select the Accessor you just created.
Select the ellipsis (...) in the top right corner and click Enable.

The Accessor is now enabled.
Attach the Accessor to an Agent.
1. 1. Click Agents in the top right corner to return to the Agents list.
  2. Select the Agent. A pop-up window displays.
  3. Click Attach Storage.
  4. Select the previously-created Azure storage.
  5. Select the Accessor or method you created.
  6. Click Attach.