> For the complete documentation index, see [llms.txt](https://help.gopaddle.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.gopaddle.io/overview/provision-new-cluster/register-cloud-account/azure/create-azure-application.md).

# Create Azure Application

1. **Activate a Subscription:** Activate at least one subscription by navigating to <https://portal.azure.com/#allservices> in Azure Account and Select Subscriptions service. If no subscriptions are available, click on Add to add a new subscription.

<figure><img src="https://downloads.intercomcdn.com/i/o/198357465/f40738dcc8fdfe45ff0d0183/aks-add-subscription-wizard.png" alt=""><figcaption></figcaption></figure>

Copy the Subscription ID. This ID will be used at the time of creating an AKS cluster via gopaddle.

**2. Register Resource Providers:** Click on the subscription created in step 1 and select **Resource Providers**. Select the following Resource Providers and register them.<br>

<figure><img src="/files/rpmXW8204BeFcjMJMxsV" alt=""><figcaption><p>Resource Providers to be registered</p></figcaption></figure>

3\. **Add a User:** To add a new user, go to <https://portal.azure.com/#allservices> and filter & select Azure Active Directory. Under **Manage option**, select **Users**. Create a New User.

4\. **Create Custom Role:** Add Owner role to the newly created user, by navigating to Subscriptions under <https://portal.azure.com/#allservices>. Select the subscription. Filter and select IAM. Under Access Control (IAM) Section, choose **+ Add to add a custom role**.

<figure><img src="https://downloads.intercomcdn.com/i/o/471030096/eb27901fdca1d8aaebea9c84/add-azure-custom-role.png" alt=""><figcaption></figcaption></figure>

In the role creation wizard, choose the JSON tab. Click Edit to edit the permissions list.

[Download Custom Role ACL Template](https://gopaddle-marketing.s3.ap-southeast-2.amazonaws.com/azure-acl-premissions.json) and replace ***\<role-name>*** with the custom role name and ***\<subscription-id>*** with the Azure subscription id.&#x20;

Update the JSON permissions list in the Azure Console with the updated permissions from the template.

<figure><img src="https://downloads.intercomcdn.com/i/o/471030052/82fc76e644cc57fc4fe804cc/add-azure-permissions.png" alt=""><figcaption></figcaption></figure>

Click on **Review + create** to create the custom role.

5\. Access Control (IAM) Section, 'Add role assignments'. Select the custom role and assign it to the newly created user.

> :bulb: **Note**: The permssions for the custom role does not allow the newly created user to create or delete a Container registry. Either a root user or a different sub-user with sufficient permissions, can create the Container registry. The newly created sub-user can then push or pull the Docker images from this registry.

6\. **Add Application Administrator Role**: Navigate to this users list from here <https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers>. Select the user and choose the Assigned Roles. Add 'Application administrator' role to the user.

<figure><img src="https://downloads.intercomcdn.com/i/o/380374173/8d62d429cdd4bd374869dc58/Screenshot+2021-08-25+at+2.52.05+PM.png" alt=""><figcaption></figcaption></figure>

7\. **Add an Application**: Login to the Azure portal as the new User. Go to <https://portal.azure.com/#allservices> and select Azure Active Directory. Under Manage option, select App Registrations. Click on New Registration and add a new Application.\
Choose the account type as : **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**<br>

<figure><img src="https://downloads.intercomcdn.com/i/o/284777957/80cfb7dadc35ee7c82a000f8/gp-azure-registerapplication.png" alt=""><figcaption></figcaption></figure>

To create Azure Cluster from a SaaS gopaddle account, provide the redirect URL as <https://portal.gopaddle.io/cloudaccounts> . To create Azure Cluster from an on-premise gopaddle installation, provider the redirect URL as \<http (or) https>://\<gopaddlehomeIP/domain>/clouds.\
\
8\. Once the application is created, click on the Application to manage the application. Note down the Application (client) ID.

9\. **Add Client Secret** : Under Manage option, select Certificates and Secrets. Create a New client secret. Note down the Value of the client secret. The Application (client) ID and the client secret Value generated in step 5 and 6 will be used to register a new Cloud Account Authenticator.
