Application Configuration in Azure Portal for Kafka OAuth2 Account

Overview

Snaps in the Kafka Snap Pack require a Kafka OAuth2 account to access Azure resources. To authorize the accounts successfully, ensure that you create and configure two applications corresponding to the account:

  • Confluent Cloud application
  • Client application

Prerequisites

An Azure account with a free subscription to create the application.

  1. Create Two Applications in the Azure Portal
    1. Log in to the Microsoft Azure Portal.
    2. Navigate to Azure services > Microsoft Entra ID
    3. Navigate to Add > App registration.
    4. On the Register an application page, specify the name for registering the Confluent Cloud application, which allows client applications to claim roles in Confluent Cloud, and click Register. Learn more about creating an application at How to register an app in Microsoft Entra ID - Microsoft identity platform.
      Note: To use an existing application, navigate to Portal Home > Azure Active Directory > App registrations > All applications. In the search box, specify the application name you want to use. The details of the registered application are displayed in the search list.
      Note: This application does not need the Redirect URI.

      Redirect URI

    5. Click Add an Application ID URI. This URI is used by the client applications to identify this application.
    6. Set the Application ID URI.
      Set the Application ID URI

    7. Navigate to Go to App roles.
      1. Click Create app role.
      2. Set up a Dev Admin role.
      3. Choose Applications for the Allowed member types.
      4. Specify the Value as dev.environmentAdmin.
      5. Provide a useful description of what this role is supposed to allow.
        Create app role

    8. Navigate to Manifest in the left navigation to ensure Azure Active Directory returns version 2 tokens on its token endpoint.
      Manifest in App registeration

        1. Search for the key for ‘requestedAccessTokenVersion’.
        2. Update the value from null to 2, and save it.
          Request Access Token

    9. Return to the Overview and view the Endpoints, where you can copy and save the OAuth 2.0 token endpoint.
      Request Access Token

    10. Register the Kafka client application.
      Register an application

    11. Navigate to Certificates & secrets on the left navigation bar and create a new client secret.
      Client Secret

      Note: You can copy the Client secret value only after it is generated. This value displays only once, so ensure you copy it securely.
    12. Navigate to API permissions > Add a permission
    13. Select the APIs my organization uses tab.
      API Permissions

    14. Add the roles to your client application according to your Confluent Cloud registration.
      Request API Permissions

    15. Copy and save the Scope parameter from the role you added to the client application.
      Client Permissions

    16. Click the Grant admin consent and confirm the grant. This completes the Azure AD configuration for the client application. You can now generate a JWT from an Azure AD OAuth 2.0 token endpoint using the Client ID, Client Secret, and Scope Parameters.
      Grant Admin consent

  2. Specify the Credentials and Validate the Snap Account
    1. Navigate to the Kafka Snap of your choice and configure the Kafka OAuth2 Account with the details from the Azure portal's registered application.
      Kafka OAuth2 Account configuration

    2. Validate the Snap Account.
    3. Click Apply to save the Account configuration.