# Create Azure Application

1. **Activate a Subscription:** Activate at least one subscription by navigating to <https://portal.azure.com/#allservices> in Azure Account and Select Subscriptions service. If no subscriptions are available, click on Add to add a new subscription.

<figure><img src="https://downloads.intercomcdn.com/i/o/198357465/f40738dcc8fdfe45ff0d0183/aks-add-subscription-wizard.png" alt=""><figcaption></figcaption></figure>

Copy the Subscription ID. This ID will be used at the time of creating an AKS cluster via gopaddle.

**2. Register Resource Providers:** Click on the subscription created in step 1 and select **Resource Providers**. Select the following Resource Providers and register them.<br>

<figure><img src="/files/rpmXW8204BeFcjMJMxsV" alt=""><figcaption><p>Resource Providers to be registered</p></figcaption></figure>

3\. **Add a User:** To add a new user, go to <https://portal.azure.com/#allservices> and filter & select Azure Active Directory. Under **Manage option**, select **Users**. Create a New User.

4\. **Create Custom Role:** Add Owner role to the newly created user, by navigating to Subscriptions under <https://portal.azure.com/#allservices>. Select the subscription. Filter and select IAM. Under Access Control (IAM) Section, choose **+ Add to add a custom role**.

<figure><img src="https://downloads.intercomcdn.com/i/o/471030096/eb27901fdca1d8aaebea9c84/add-azure-custom-role.png" alt=""><figcaption></figcaption></figure>

In the role creation wizard, choose the JSON tab. Click Edit to edit the permissions list.

[Download Custom Role ACL Template](https://gopaddle-marketing.s3.ap-southeast-2.amazonaws.com/azure-acl-premissions.json) and replace ***\<role-name>*** with the custom role name and ***\<subscription-id>*** with the Azure subscription id.&#x20;

Update the JSON permissions list in the Azure Console with the updated permissions from the template.

<figure><img src="https://downloads.intercomcdn.com/i/o/471030052/82fc76e644cc57fc4fe804cc/add-azure-permissions.png" alt=""><figcaption></figcaption></figure>

Click on **Review + create** to create the custom role.

5\. Access Control (IAM) Section, 'Add role assignments'. Select the custom role and assign it to the newly created user.

> :bulb: **Note**: The permssions for the custom role does not allow the newly created user to create or delete a Container registry. Either a root user or a different sub-user with sufficient permissions, can create the Container registry. The newly created sub-user can then push or pull the Docker images from this registry.

6\. **Add Application Administrator Role**: Navigate to this users list from here <https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers>. Select the user and choose the Assigned Roles. Add 'Application administrator' role to the user.

<figure><img src="https://downloads.intercomcdn.com/i/o/380374173/8d62d429cdd4bd374869dc58/Screenshot+2021-08-25+at+2.52.05+PM.png" alt=""><figcaption></figcaption></figure>

7\. **Add an Application**: Login to the Azure portal as the new User. Go to <https://portal.azure.com/#allservices> and select Azure Active Directory. Under Manage option, select App Registrations. Click on New Registration and add a new Application.\
Choose the account type as : **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**<br>

<figure><img src="https://downloads.intercomcdn.com/i/o/284777957/80cfb7dadc35ee7c82a000f8/gp-azure-registerapplication.png" alt=""><figcaption></figcaption></figure>

To create Azure Cluster from a SaaS gopaddle account, provide the redirect URL as <https://portal.gopaddle.io/cloudaccounts> . To create Azure Cluster from an on-premise gopaddle installation, provider the redirect URL as \<http (or) https>://\<gopaddlehomeIP/domain>/clouds.\
\
8\. Once the application is created, click on the Application to manage the application. Note down the Application (client) ID.

9\. **Add Client Secret** : Under Manage option, select Certificates and Secrets. Create a New client secret. Note down the Value of the client secret. The Application (client) ID and the client secret Value generated in step 5 and 6 will be used to register a new Cloud Account Authenticator.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.gopaddle.io/overview/provision-new-cluster/register-cloud-account/azure/create-azure-application.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.