Configure Azure Active Directory for Azure Storage Account Authentication

JetStream DR for AVS can be configured to use Azure Active Directory (AAD) for enhanced authentication with Azure storage accounts. This requires JetStream DR to be registered in AAD as an application. The AAD Application ID and Secret Key are used to access the storage account instead of an Access Key. Once JetStream DR has been registered in Azure AAD, the Azure storage account will be configured to grant JetStream DR virtual appliances access to the Blob storage with the required role.

The following items are required to configure JetStream DR for Azure Active Directory authentication:

• Azure Active Directory Tenant ID (Identifies the AAD Directory to use for authentication)
• Application ID (Uniquely identifies the JetStream DR application)
• Application Secret Value (Authenticates JetStream DR to AAD)

IMPORTANT: The Application ID and Application Secret Key values should be unique for each site accessing the Azure storage account.

The following steps describe how to configure Azure to create the above mentioned information.
The steps illustrate setup for one site only. Actual configuration requires repeating the steps for each site requiring access to the Azure storage account (e.g., primary site and recovery site).

Register JetStream DR as an Azure Application

1. Sign into the Azure portal.
2. Search for and select App registrations.

3. Under Manage, select App registrations > New registration.

4. Enter the JetStream DR MSA name as the display Name for your application. The display name will be used later to assign the application a role for the Azure Storage Account.
5. Specify who can use the application. Select Accounts in this organizational directory only.
6. Click Register to complete the initial app registration.

7. When registration finishes, the Azure portal displays the app registration’s Overview pane. Record the Application (client) ID. This uniquely identifies the JetStream DR application, and the information will be used later to configure JetStream DR.

Create a Client Secret for the Registered Application

1. Under Manage, select Certificates & secrets > Client secrets > New client secret.

2. Add a description for the client secret, then click Add.

• Select an expiration for the secret or specify a custom lifetime.
  • Client secret lifetime is limited to two years (24 months) or less. You cannot specify a custom lifetime longer than 24 months.
  • Microsoft recommends setting an expiration value of less than 12 months.

3. Record the client secret value to use in the client application code.

• Important: The secret value will never be displayed again after you leave the page.
•  This information will be used later to configure JetStream DR.

NOTE: Perform all the above steps for each site accessing Azure Blob Storage.

Configure an Azure Storage Account

1. Go to the storage account.
2. Click Access control (IAM).
3. Click the Role assignments tab.
4. Add a new role assignment.

5. On the role tab, select Storage Blob Data Contributor.
6. Click Next.

7. On the Members tab, assign access to: User, group, or service principal.
8. Click +Select members.
9. Begin typing in the Select box to search the directory for the registered application’s display name (configured previously).
10. Click Select to add the application to the members list.

11. Review the role assignment for the member.
12. Click Review + assign.