Contents x
    Consumer-managed application setup guide
    • 18 Jul 2024
    • 5 Minutes to read
    • PDF
    Contents

    Consumer-managed application setup guide

    • Updated on 18 Jul 2024
    • 5 Minutes to read
    • PDF
    Article summary

    This article will describe how to configure Bobsled to grant access to data transfers made to Azure Blob Storage. The data will be delivered to the Bobsled-managed destination and access will be authorized to the Azure application(s) configured in the destination.

    Prerequisites

    • Before configuring a destination, a share must be created.

    • Using the Consumer-Managed Application requires an existing Azure Multi-tenant application or to create a new one.

      • Your customer creates or uses an existing Azure application in which they own the credentials. The application used must be registered as a Multi-tenant Application.

    NOTE:
    Sufficient permissions are required to register an application with your Azure AD Tenant, and to assign the application a role to your subscription. To check if eligible to create an application registration, navigate to Microsoft Entra ID > Users > User settings. Check the app registration settings:

    • If set to "Yes", any user in the Tenant can create an app.

    • If set to no, only an administrator role can create an application.

    Please contact an admin role to either provide you access or create the app. For more information, visit Check Azure AD Permissions ↗

    Setup instructions

    Step 1: Create an Azure application

    There are two main ways to create an Azure application, you may use:

    • Azure Portal

    • Azure CLI (Command line)

    TIP:
    If you do not have, or are unsure if you have the CLI installed, visit Installing AzCopy & Azure CLI

    Option 1: Using the Azure Portal

    1. Log in to the Azure Portal

    2. If you have access to multiple tenants, click on the top right account menu and click switch tenant and choose the tenant in which your target storage container resides.

    3. In the Search bar type Microsoft Entra ID

    4. Under Manage, select App registrations and then new registration

    5. Enter the name of the app, select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" and click Register. There is no need for a redirect URI.



      The application can be found under "App registrations" in Microsoft Entra ID. Click on it and copy down Application ID. You will use it to configure access to the data in Bobsled.


    6. Under Manage navigate to Certificates & Secrets to create a client secret:

      1. Select "New client secret"

      2. Add a description for the secret. This can be anything you want. For example "password".

      3. Set the expiration date of the client secret. Azure recommends 6 months however you may have this secret last up to 2 years. Once the selected expiry date passes, you will need to create a new one.

      4. Click "Add" to create the client secret.


    7. Copy the client secret's "value". Make sure to store the secret in a safe place of your choice, for example in Azure Key Vault.


    8. Assign the app permissions to your subscription. The subscription you use should be associated with your desired storage account and target destination container.

      1. In the Portal search bar, type in "Subscriptions"

      2. Select the name of your subscription and click Access control

      3. Click the "+ Add" button in the upper left hand corner of the screen. Select "Add role assignment".



      4. Follow the role assignment dialog. Search for the role Storage Queue Data Reader and assign it to your application.

    9. Assign the app permissions to your target destination container.

      1. In the Portal search bar, type in "Storage Accounts"

      2. Select the name of your Storage Account. Click Containers and select your target container name. You may also choose create a new one.

      3. Click on Access control and select the "+ Add" button in the top left hand corner. Select "Add role assignment".

      4. Search for the role Storage Blob Data Contributor and assign it to your application.

    Option 2: Using Azure CLI

    To create a multi-tenant application on the CLI, you will need to have the Azure CLI installed or use Azure CloudShell to run the following commands.

    1. Log into the Azure CLI with the Tenant ID in which your target storage container resides by running the following command. 

      az login --tenant <tenantID>

      • In the output of the command, copy the value of the "id" field. This is the id of your subscription that you will use below.


    2. Create the application with the role "Storage Queue Data Reader" scoped to your subscription:

      az ad sp create-for-rbac -n <app name> --role "Storage Queue Data Reader" --scope "/subscriptions/"

      • <app name>: The name of your application

      • <subscriptionID>: The id of your subscription (copied from the previous step)

      • Storage Queue Data Reader role: Read and list Azure Storage queues and queue messages


    3. Copy down "appID" and "password" values. You will use the appID to configure access to the data in Bobsled. Make sure to store the secret in a safe place of your choice, for example in Azure Key Vault.

    4. Make the app Multi-Tenant. Note that there is no output from this command. 

      az ad app update --id <App ID> --sign-in-audience AzureADMultipleOrgs

    5. Assign permissions to your target container:

      • Optionally, if you would like to create a new container, run the following command: you should expect an output of created:true

        az storage container create -n <container name> --account-name <storage account name>  --auth-mode login

      • Assign Storage Blob Data Contributor role to your target container.

        az role assignment create --assignee <appID> --role "Storage Blob Data Contributor" --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts//blobServices/default/containers/"

      • What you will need:

        • <app name>: The name of your application

        • <subscriptionID>: The id of your subscription (copied in step 1 in this section).

        • <resource group name>: The name of resource group that the storage account resides in

        • <storage account name>: The name of the storage account that the container resides in

        • <container name>: The name of the container

          • If you don’t know the resource group name, run:

            az storage account show --name <storage account name>

            Copy down the "id" field and append '/blobServices/default/containers/<container name>' to the end of it to create the scope.

        • Storage Blob Data Contributor role: Read, write, and delete Azure Storage containers and blobs

    Step 2: Configure destination in Bobsled

    1. On the share page, click the box Pick Destination.

    2. Choose "Azure Blob Storage". Select the your region. Press "continue.

    3. Choose access method(s) to configure. In this case, choose, change to the Consumer-managed application tab selected. For Bobsled-managed, please check the setup guide.


    4. Enter a human readable label for your managed application. This is optional, if no label is entered the application id will appear as the label.

    5. Enter the Application ID of your app.

    6. Enter the Tenant ID where the app was created. This is optional.

    7. Click Grant Access.

      • To edit the label or tenant ID, click the ellipse in the row and select "edit".

    8. Click Finish. You have now set up your destination.

    TIP:

    If you haven’t recorded the necessary values while following the steps to create an Azure application, or a destination in Bobsled is being set for an existing Consumer-Managed Application, you can find these values in the Azure portal following:

    • For the Application ID, navigate in the Azure portal to to Microsoft Entra ID > App registrations > click on App name;

    • For the Tenant ID, navigate in the Azure portal to Microsoft Entra ID > Overview.

    After setting up the destination in a Share, and picking a source, you can get started and create a data transfer to share data with your consumers.

    Revoking access

    To revoke the application, click the more (ellipsis) button in the row and select "revoke".

     


    Was this article helpful?
    What's Next