Horizon Cloud needs a service principal to access and use your Microsoft Azure subscription's capacity. When you register a Microsoft Azure AD application, the service principal is also created. Additionally, you must generate an authentication key and assign the Contributor role to the service principal at the subscription level.

About this task

You perform these steps in the Microsoft Azure portal appropriate for your registered account. If you registered with Microsoft Azure Germany or Microsoft Azure China, log in to the portal using the appropriate URL.

Note:

When performing these steps, you can collect some of the values that you will need for the deployment wizard, as described in Introduction to a VMware Horizon Cloud Service on Microsoft Azure Environment, specifically:

  • Application ID

  • Authentication key

Caution:

Even though you can set the key's expiration duration to a specific timeframe, if you do that, you must remember to refresh the key before it expires or the associated Horizon Cloud node will stop working. Horizon Cloud cannot detect or know what duration you set. For smooth operations, set the key's duration to Never expires.

If you prefer not to set Never expires and prefer instead to refresh the key before it expires, you must remember to log in to the Horizon Cloud Administration Console and enter the new key value in the associated node's subscription information. For detailed steps, see Update the Subscription Information Associated with Deployed Nodes in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

Procedure

  1. From the Microsoft Azure portal's left navigation bar, click Microsoft Azure Active Directory menu item in the Microsoft Azure portal's main menu (Azure Active Directory), then click App Registrations menu item in Azure portal's Azure AD submenu (App registrations).


    In the Azure portal, showing the App Registrations menu item with a green arrow pointing to it.


    The App registrations screen appears.

    App Registrations screen in Azure portal before creating the new app registration.


  2. Click New Application Registration button (New application registration).
  3. Type a descriptive name, select Web app / API for the Application Type, type http://localhost:8000 for the Sign-on URL, and click Create.


    Create App Registration screen with values for Hzn-Cloud-Principal


    Option

    Description

    Name

    The name is up to you. The name is a way you can differentiate this service principal used by Horizon Cloud from any other service principals that might exist in this same subscription.

    Application type

    Ensure Web app / API is selected (the default value).

    Sign-on URL

    Type http://localhost:8000 as shown. Microsoft Azure marks this as a required field. Because Horizon Cloud does not need a sign-on URL for the service principal http://localhost:8000 is used to satisfy the Microsoft Azure requirement.

    Now the newly created item is displayed on screen.

    Newly created Hzn-Cloud-Principal app registration showing in the App registrations screen


  4. Click the service principal's icon to collect its application ID from its details.


    Screen of the service principal's details with an arrow pointing to the Application ID


    Copy the application ID to a location where you can retrieve it later when you run the deployment wizard.

  5. From the service principal's details screen, create the service principal's authentication key.
    1. If the Settings menu is not visible, open it by clicking Settings.


      Settings menu for the service principal in the Azure portal


    2. Click Keys menu item in Settings menu on service principal (Keys).
    3. Type a key description, select an expiration duration, and click Save.

      The key description must be 16 characters or less, for example Hzn-Cloud-Key1.

      Note:

      You can set the expiration duration to Never expires or to a specific timeframe. However, if you set a specific duration, you must remember to refresh the key before it expires and enter the new key into the node's subscription information in the Horizon Cloud Administration Console. Otherwise, the associated node will stop working. Horizon Cloud cannot detect or know what duration you set.



      Keys screen showing new key being added with never expires duration.


      Important:

      Keep the Keys screen open until you copy the key value and paste the value into a location where you can retrieve it later. Do not close the screen until you have copied the key value.



      Authentication key displayed in Keys screen with warning and value pixelated out


    4. Copy the key value to a location where you can retrieve it later when you run the deployment wizard.
  6. Assign the Contributor role to the service principal at the subscription level.
    1. Navigate to your subscription's settings screen by clicking (Subscriptions) in the Microsoft Azure portal's main navigation bar and then click the name of the subscription that you will use with the node.
      Note:

      At this point, from the screen, you can copy the subscription ID which you will later need in the deployment wizard.



      Subscription details in the Azure portal with IDs pixelated out and a green arrow pointing to the ID


    2. Click Access Control (IAM) menu item (Access control (IAM)) and then click Add to open the Add permissions screen.


      Azure portal's Access Control (IAM) screen with a green arrow pointing to the Add button


    3. In the Add permissions screen, select Contributor for Role and then use the Select box to search for your service principal by the name you gave it.


      Azure portal's Add permissions screen with Owner role selected and searching for the Hzn service principal


      Note:

      Make sure the Assign access to drop-down list is set to Azure AD user, group, or application.

    4. Click your service principal to make it a selected member and then click Save.


      In the Add permissions screen, the service principal added as a selected member of Owner role


  7. Verify that your subscription has the registered resource providers that the node requires.
    1. From the Access control (IAM) screen you are on from the previous step, navigate to the subscription's list of resource providers by clicking Resource providers menu choice in the Subscription settings menu (Resource providers) in the subscription's menu.


      Subscription menu showing the Resource providers item and a green arrow pointing to it


    2. Verify that the following resource providers have Icon of Registered status in the Azure portal for a resource provider (Registered) status, and if not, register them.
      • Microsoft.Compute

      • microsoft.insights

      • Microsoft.Network

      • Microsoft.Storage



      Resource providers screen with a green arrow pointing to one that is unregistered


Results

At this point, you've created and configured the service provider for the node, and you have three of the subscription-related values you need in the first step of the node deployment wizard. You also need the Azure Active Directory ID. Obtain that ID in the Microsoft Azure portal by clicking Azure Active Directory menu item in Microsoft Azure portal's main menu > Properties menu item in Microsoft Azure portal's Azure AD submenu (under Manage).

The four subscription-related values are:

  • Subscription ID

  • Azure Active Directory ID

  • Application ID

  • Application key value

What to do next

Verify that you have collect all of the subscription-related information you will enter in the deployment wizard. See Subscription-Related Information for the Deployment Wizard.