Skip to main content
As described in Manage Environment Ops Authing▸, the AutoMQ operational platform requires read and write access to the Ops Bucket in your Azure environment. This access enables system stability monitoring, self-healing, subscription license updates, and version upgrades for your BYOC environment. In Azure, cross-tenant authorization is achieved by creating a service principal from AutoMQ’s multitenant application in your tenant, then assigning the appropriate role to that service principal. For more details on this approach, see Create a service principal for a cross-tenant application and Authorize cross-tenant access.
In this document, references to the AutoMQ product service provider, AutoMQ service provider, and AutoMQ all specifically mean AutoMQ HK Limited.

Procedure

Step 1: Sign in to Azure CLI with your tenant administrator

Sign in to Azure CLI using your tenant administrator identity. Replace <Your Tenant ID> with your Microsoft Entra tenant ID. 
az login --tenant <Your Tenant ID>

Step 2: Collect your Ops Bucket information

Before proceeding, gather the following information about the Ops Bucket created when you set up the AutoMQ BYOC environment. You can retrieve these values from the Azure portal or Azure CLI.
ParameterDescription
Subscription IDThe Azure subscription that contains the Ops Bucket resources.
Resource GroupThe resource group where the Storage Account is located.
Storage AccountThe Storage Account that hosts the Ops Bucket Blob Container.
Blob ContainerThe name of the Blob Container used as the Ops Bucket.
To list your Storage Accounts and Blob Containers via Azure CLI: 
# List Storage Accounts in a resource group
az storage account list --resource-group <Your Resource Group> --query "[].name" -o table

# List Blob Containers in a Storage Account
az storage container list --account-name <Your Storage Account> --query "[].name" -o table

Step 3: Create a service principal for the AutoMQ operational platform

Create a service principal in your tenant from AutoMQ’s multitenant application. This allows the AutoMQ operational platform to authenticate in your Azure environment. Run the following command: 
az ad sp create --id 123d6e96-84f4-4569-82ec-c25edb2dc696
The --id value 123d6e96-84f4-4569-82ec-c25edb2dc696 is the official App ID of the AutoMQ operational platform. Do not modify this value.
After the command succeeds, verify the service principal: 
az ad sp show --id 123d6e96-84f4-4569-82ec-c25edb2dc696

Step 4: Assign the Storage Blob Data Contributor role

Grant the AutoMQ service principal the Storage Blob Data Contributor role, scoped to the Ops Bucket Blob Container. AutoMQ only receives this role on the specific Blob Container used as the Ops Bucket — no other resources are affected. Replace the placeholders with the values collected in Step 2: 
az role assignment create \
  --role "Storage Blob Data Contributor" \
  --assignee 123d6e96-84f4-4569-82ec-c25edb2dc696 \
  --scope "/subscriptions/{Your Subscription ID}/resourceGroups/{Your Resource Group}/providers/Microsoft.Storage/storageAccounts/{Your Storage Account}/blobServices/default/containers/{Your Ops Bucket Blob Container}"
After the command completes successfully, the Ops Bucket authorization is finished. You can proceed with cluster creation and management on the AutoMQ platform.