For Horizon Cloud Service on Microsoft Azure deployments, the service uses API calls to deploy resources into a Microsoft Azure subscription and to manage those resources. To provide the ability for Horizon Cloud to use its API calls in the Microsoft Azure subscription, you create a service principal, which is called an app registration in Microsoft Entra ID.

Create a maximum of four unique service principals for a provider. To support a total of 5,000 VMs, add four service principals. When you have multiple service principals, they share the Subscription ID and directory ID, but each service principal has its own application ID.
Important: Use the same role for each service principal.

You create a service principal to access and use your Microsoft Azure subscription capacity for Horizon Cloud. The Microsoft Azure subscription ID, directory ID, and application ID and key are used in Horizon Cloud.

Note: Perform the tasks in this section in the Microsoft Azure portal. You can find the configuration details in the Microsoft documentation, Use the portal to create an Azure AD application and service principal that can access resources. While Microsoft recomments using a certificate based authentication for the service principal, VMware requires key/secret based authentication for the service principal.

The Horizon Cloud service principal must have an assigned role in the subscription. Typically, Horizon Cloud uses the built-in Contributor role with the subscription.

The Contributor role is used because this role covers all of the API calls that Horizon Cloud must perform within the subscription. The role assignment must be a direct assignment. The use of a group-based assignment of a role, in which the role is assigned to a group and the service principal is a member in that group, is not supported.

If your organization prefers to avoid the use of the Contributor role in the subscription, Horizon Cloud supports use of a custom role instead. If used, the custom role needs to provide for the specific API calls that Horizon Cloud needs to use. For more information, see To Use a Custom Role for Horizon Cloud App Registration.
Note: When deleting a Microsoft Entra ID joined Pool or a VM, the service principal should have permissions to delete the device entry from Microsoft Entra ID.

The permissions are of the following:


Permission : Device.ReadWrite.All Read and write devices

Admin Consent : Yes

The permission can be given by navigating to the following location :

Subscription > Azure Active Directory > App Registrations > Select the App that permission needs to be given > API Permission > Select Microsoft GRAPH > Select Device.ReadWriteAll

The following steps provide the settings to use for your Horizon Cloud environment:


  • Configure up to four service principals and client secrets for the subscription.
    1. Set the expiration duration of the client secret to your preferred length, such as 24 Months.
    2. Save a copy of the client secret for future reference.
    3. Assign the appropriate role to each service principal to allow the service principal to manage resources in the subscription.

What to do next

Register the required resource providers. See Confirm That the Required Resource Providers Are Registered in Your Microsoft Azure Subscription.