For Horizon Cloud Service on Microsoft Azure deployments, the service uses API calls to deploy resources into a Microsoft Azure subscription and to manage those resources. To provide the ability for Horizon Cloud to use its API calls in the Microsoft Azure subscription, you create a service principal, which is called an app registration in Microsoft Entra ID.
You create a service principal to access and use your Microsoft Azure subscription capacity for Horizon Cloud. The Microsoft Azure subscription ID, directory ID, and application ID and key are used in Horizon Cloud.
The Horizon Cloud service principal must have an assigned role in the subscription. Typically, Horizon Cloud uses the built-in
Contributor role with the subscription.
Contributor role is used because this role covers all of the API calls that Horizon Cloud must perform within the subscription. The role assignment must be a direct assignment. The use of a group-based assignment of a role, in which the role is assigned to a group and the service principal is a member in that group, is not supported.
Contributorrole in the subscription, Horizon Cloud supports use of a custom role instead. If used, the custom role needs to provide for the specific API calls that Horizon Cloud needs to use. For more information, see To Use a Custom Role for Horizon Cloud App Registration.
The permissions are of the following:
Device.ReadWrite.All Read and write devices
Admin Consent :
The permission can be given by navigating to the following location :
The following steps provide the settings to use for your Horizon Cloud environment:
- ♦ Configure up to four service principals and client secrets for the subscription.
- Set the expiration duration of the client secret to your preferred length, such as 24 Months.
- Save a copy of the client secret for future reference.
- Assign the appropriate role to each service principal to allow the service principal to manage resources in the subscription.