> ## Documentation Index
> Fetch the complete documentation index at: https://docs.automq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Ops Authing from Azure

> Configure cross-tenant operational authorization for AutoMQ on Azure by creating a service principal and granting Storage Blob Data Contributor access to the Ops Bucket.

As described in [Manage Environment Ops Authing▸](/automq-cloud/manage-environments/manage-environment-ops-authing/overview), the AutoMQ operational platform requires read and write access to the Ops Bucket in your Azure environment. This access enables system stability monitoring, self-healing, subscription license updates, and version upgrades for your BYOC environment.

In Azure, cross-tenant authorization is achieved by creating a service principal from AutoMQ's multitenant application in your tenant, then assigning the appropriate role to that service principal. For more details on this approach, see [Create a service principal for a cross-tenant application](https://learn.microsoft.com/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=azure-cli) and [Authorize cross-tenant access](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-authorize-cross-tenant).

<Info>
  In this document, references to the AutoMQ product service provider, AutoMQ service provider, and AutoMQ all specifically mean AutoMQ HK Limited.
</Info>

## Procedure

### Step 1: Sign in to Azure CLI with your tenant administrator

Sign in to Azure CLI using your tenant administrator identity. Replace `<Your Tenant ID>` with your Microsoft Entra tenant ID.

```shell theme={null}
az login --tenant <Your Tenant ID>
```

### Step 2: Collect your Ops Bucket information

Before proceeding, gather the following information about the Ops Bucket created when you set up the AutoMQ BYOC environment. You can retrieve these values from the Azure portal or Azure CLI.

| Parameter       | Description                                                    |
| --------------- | -------------------------------------------------------------- |
| Subscription ID | The Azure subscription that contains the Ops Bucket resources. |
| Resource Group  | The resource group where the Storage Account is located.       |
| Storage Account | The Storage Account that hosts the Ops Bucket Blob Container.  |
| Blob Container  | The name of the Blob Container used as the Ops Bucket.         |

To list your Storage Accounts and Blob Containers via Azure CLI:

```shell theme={null}
# List Storage Accounts in a resource group
az storage account list --resource-group <Your Resource Group> --query "[].name" -o table

# List Blob Containers in a Storage Account
az storage container list --account-name <Your Storage Account> --query "[].name" -o table
```

### Step 3: Create a service principal for the AutoMQ operational platform

Create a service principal in your tenant from AutoMQ's multitenant application. This allows the AutoMQ operational platform to authenticate in your Azure environment.

Run the following command:

```shell theme={null}
az ad sp create --id 123d6e96-84f4-4569-82ec-c25edb2dc696
```

<Warning>
  The `--id` value `123d6e96-84f4-4569-82ec-c25edb2dc696` is the official App ID of the AutoMQ operational platform. Do not modify this value.
</Warning>

After the command succeeds, verify the service principal:

```shell theme={null}
az ad sp show --id 123d6e96-84f4-4569-82ec-c25edb2dc696
```

### Step 4: Assign the Storage Blob Data Contributor role

Grant the AutoMQ service principal the **Storage Blob Data Contributor** role, scoped to the Ops Bucket Blob Container. AutoMQ only receives this role on the specific Blob Container used as the Ops Bucket — no other resources are affected.

Replace the placeholders with the values collected in Step 2:

```shell theme={null}
az role assignment create \
  --role "Storage Blob Data Contributor" \
  --assignee 123d6e96-84f4-4569-82ec-c25edb2dc696 \
  --scope "/subscriptions/{Your Subscription ID}/resourceGroups/{Your Resource Group}/providers/Microsoft.Storage/storageAccounts/{Your Storage Account}/blobServices/default/containers/{Your Ops Bucket Blob Container}"
```

After the command completes successfully, the Ops Bucket authorization is finished. You can proceed with cluster creation and management on the AutoMQ platform.