Create an Azure Provider Integration in Confluent Cloud

This topic explains how to create an Azure Provider Integration with Confluent Cloud that uses Microsoft Entra ID authorization to connect your Azure account to Confluent Cloud.

Overview

An Azure Provider Integration allows Confluent Cloud to securely access your Azure resources using Microsoft Entra ID-based authentication instead of long-term credentials. You can create this integration using the Confluent Cloud Console. During setup, Confluent generates a multi-tenant Microsoft Entra application, and you create a service principal in your Azure tenant for that application and grant the required permissions. For a conceptual overview of provider integrations, see Provider Integrations overview.

Prerequisites

Before you begin, ensure you have:

• Access to the Azure Portal at https://portal.azure.com.

• Access to the Confluent Cloud Console at https://confluent.cloud.

Create an Azure Provider Integration

You must create a Microsoft Azure Provider Integration in Confluent Cloud before you modify an existing Confluent resource (for example, a connector) or create a new one that uses provider integration.

Configuring an Azure Provider Integration involves the following steps:

• Generate a multi-tenant Entra ID app in Confluent’s Azure account.

• Create a new service principal in using the Azure CLI. Use the Confluent’s Entra ID application and assign the resource access permission required to run the connector.

• Map your Azure tenant ID to establish a trust relationship with Confluent’s Entra ID application.

Follow the steps below to create an Azure Provider Integration in a Confluent Cloud environment using the Confluent Cloud Console.

Using the Confluent Cloud Console

Sign in to your Confluent Cloud account and go through the following instructions to configure your first provider integration in Confluent Cloud.

Step 1: Select the Azure Provider Integration in Confluent

1. Go to the environment you want to create the provider integration in.

2. In the left navigation menu, click Integrations > Provider Integrations.

3. Click Add integration.

4. Select Microsoft Entra ID. In the Provider integration name field, enter a unique and descriptive name to identify your integration.

5. Click Continue.

Step 2: Configure the Azure service account

Generate a multi-tenant Entra ID app in Confluent’s Azure account and set up a service principal in your Azure Cloud.

1. Click Create Entra ID app. This generates a Microsoft Entra application in Confluent’s Azure account. You need this application to configure access in your Azure portal.

   • Copy the generated application client ID and save it. For example: a8198fb1-845g-4f54-973b-86fg742b5a38.

2. Select Confluent resources. Choose one or more Confluent Cloud resources to use with this integration.

   • In the List of permissions needed section, copy the permissions you need to add to your Azure service principal and save them to use in the service principal setup.

3. Using Azure CLI, create a new service principal in your Azure Cloud. Run az ad sp create --id <APPLICATION_ID> where <APPLICATION_ID> is the application client ID you copied above. The Azure portal does not support creating a service principal for a multi-tenant application.

   For more information, see Register a Microsoft Entra app and create a service principal.

   Note that you can leave the service principal setup before completing the next step and do it later from the Provider integrations list by clicking Complete next to your integration.

   • You must have at least one of the following Entra ID admin roles: Cloud Application Administrator or Application Administrator. For more information, see the error reference.

   • After creating the service principal, assign the permissions you copied above to your Azure service principal.

4. Click Continue to complete the setup.

Step 3: Establish trust in Confluent

Trust validation only confirms the service principal exists and Confluent can establish the trust relationship.

1. In the Microsoft tenant ID account field, enter your tenant ID from your Azure account.

2. Click Validate. This checks if the service principal exists in your tenant for the Confluent multi-tenant application.

   • If validation succeeds, you will see a message saying the Microsoft tenant ID is valid.

   • If validation fails, you will see a message stating why it failed. Verify your tenant ID and created service principal, then try again.

3. Click Continue.

The Integrations page displays your integration with the status Created.

If you leave the integration after generating Confluent’s Microsoft Entra application and selecting Confluent Cloud resources, but before entering your Microsoft tenant ID, the integration appears on the Provider integrations list with a status of Draft. You can complete it later by clicking Complete next to the integration name.

Next steps

After successfully creating your Azure Provider Integration, you can use it to create connectors or to configure a Tableflow catalog service. The integration eliminates the need to store Azure credentials directly in your connector configurations.

Related content

Confluent documentation:

• Manage Provider Integration for Fully-Managed Connectors

• Enhancing Security with IAM Roles in Confluent Managed Connectors [Confluent Blog] (blog post)

• Create an integration

• Confluent Provider Integration CLI Command Reference

• Confluent Provider Integration API Reference

Microsoft Azure documentation:

• Register an application (App registrations)

• Service principals (Enterprise applications)

• Create an enterprise application from a multitenant application

• Assign Azure roles using the portal

• Azure built-in roles (RBAC)

• Activity Log (Azure Monitor)

• Entra ID Sign-in and Audit logs