Create an Azure Provider Integration in Confluent Cloud

This topic explains how to create an Azure Provider Integration with Confluent Cloud that uses Microsoft Entra ID authorization to connect your Azure account to Confluent Cloud.

Overview

An Azure Provider Integration allows Confluent Cloud to securely access your Azure resources using Microsoft Entra ID-based authentication instead of long-term credentials. You can create this integration using the Confluent Cloud Console. During setup, Confluent generates a multi-tenant Microsoft Entra application, and you create a service principal in your Azure tenant for that application and grant the required permissions. For a conceptual overview of provider integrations, see Provider Integrations overview.

Prerequisites

Before you begin, ensure you have:

Steps to create an Azure Provider Integration

Follow the steps below to create an Azure Provider Integration in a Confluent Cloud environment using the Confluent Cloud Console.

  1. Sign in to the Confluent Cloud Console at https://confluent.cloud.

  2. Go to the environment you want to create the provider integration in.

  3. In the left navigation menu, click Integrations.

  4. Click Provider integrations and then click Add integration.

  5. Select Microsoft Entra ID and in the Provider integration name field, enter a unique and descriptive name to identify your integration, and then click Continue.

  6. Complete the following steps to setup Entra ID integration:

    Step 1: Generate a multi-tenant Microsoft Entra application in Confluent’s Azure tenant

    • Click Create Entra ID app. This generates a Microsoft Entra application in Confluent’s Azure account. You need this application to configure access in your Azure portal.
    • Copy the application (client) ID and save it. For example: a8198fb1-845g-4f54-973b-86fg742b5a38.

    Step 2: Select Confluent resources

    • Select Confluent resources. Choose one or more Confluent Cloud resources to use with this integration.
    • In the List of permissions needed section, copy the permissions you need to add to your Azure service principal and save them to use in the next step.

    Step 3: Set up service principal in your Azure cloud

    • You can leave the setup before completing Step 3 and do it later from the Provider integrations list by clicking Complete next to your integration. For more information on creating a service principal for the multi-tenant application in your Azure account, see Create a Microsoft Entra ID.

    Follow these steps in your Azure account:

    • Azure CLI: Run az ad sp create --id <APPLICATION_ID> where <APPLICATION_ID> is the application client ID you copied in Step 1. The Azure portal does not support creating a service principal for a multi-tenant application.
    • After creating the service principal, assign the permissions you copied in the previous step to your Azure service principal.
    • Click Continue to complete the setup.

    The Map service accounts to establish trust page appears. For details, see Map Microsoft Entra tenant ID.

  7. In the Microsoft tenant ID field, enter your tenant ID from your Azure account.

  8. Optionally, click Validate. This checks if the service principal exists in your tenant for the Confluent multi-tenant application.

    • If validation succeeds, you will see a message saying the Microsoft tenant ID is valid. You can click Continue.
    • If validation fails, you will see a message stating why it failed. Verify your tenant ID and that you created the service principal, then try again.

    Note

    Validation only confirms the service principal exists and Confluent can establish the trust relationship. Permission and role assignment issues appear when you use the provider integration.

  9. Click Continue.

The Integrations page displays your integration with the status Created.

You can now use your provider integration to create connectors that can access your Azure resources without storing long-term credentials.

Map Microsoft Entra tenant ID

“Mapping your Microsoft tenant ID” refers to establishing the trust relationship for your integration by providing your tenant ID so Confluent Cloud can validate and trust the tenant associated with your service principal and the generated multi-tenant Microsoft Entra application.

If you leave the integration after generating Confluent’s Microsoft Entra application and selecting Confluent Cloud resources, but before entering your Microsoft tenant ID, the integration appears on the Provider integrations list with a status of Draft. You can complete it later by clicking Complete next to the integration name.

Complete the integration

In the Complete integration panel

  • Name: The provider integration name you created.
  • Microsoft Entra tenant ID: Enter your tenant ID.
  • Validate: Click to test the trust relationship.

To complete the integration:

  1. Ensure your Azure service principal has the required Azure RBAC role assignments for the Confluent Cloud resources you selected earlier.

  2. In the Complete integration panel, paste your Microsoft tenant ID into the Microsoft tenant ID field.

  3. Click Validate.

    • If validation succeeds, the panel indicates success. This confirms the service principal exists in your tenant for the Confluent multi-tenant application. Close the panel. The integration status updates to Created.
    • If validation fails, the panel shows the reason. Verify your tenant ID accuracy and that you created the service principal in your tenant, then try again.

    Note

    Validation only checks if the service principal exists in your tenant. Permission and role assignment issues are detected when you create a connector.

For background on creating the identity and assigning permissions, see Create a Microsoft Entra ID.

Create a Microsoft Entra app

What you need

  • A Microsoft Entra application and corresponding service principal in Azure.
  • Confluent Cloud permissions granted to the service principal for your target Azure resources based on the permissions you need to add to your Azure service principal.

Azure Portal

Use the Azure Portal and Microsoft documentation to create and manage the application and service principal, assign roles, and optionally apply conditions. See:

Values to capture for Confluent Cloud

  • Microsoft tenant ID. Provide this when you map accounts in Confluent Cloud. For details, see Map Microsoft Entra tenant ID.
  • The roles and permissions granted to the service principal. Verify these against the required permissions listed in Confluent Cloud during setup.

Next steps

After successfully creating your Azure Provider Integration, you can use it to create connectors such as Azure Blob Storage Sink, Azure Blob Storage Source, Azure Cosmos DB Sink connectors, or Tableflow. The integration eliminates the need to store Azure credentials directly in your connector configurations.

Troubleshoot

Common issues and solutions:

Integration validation fails
  • Verify your Microsoft tenant ID is correct.
  • Confirm you created the service principal in your tenant for the Confluent multi-tenant application using Azure CLI.
  • Wait a few minutes for the service principal creation to propagate, then retry validation.
Audit and diagnostics
  • Use Azure Activity log for role assignment events and resource access.
  • Use Microsoft Entra sign-in and audit logs for service principal authentications.
  • Enable diagnostic settings to send logs to Log Analytics for deeper troubleshooting.

Security best practices

Principle of least privilege
  • Assign only the minimum RBAC roles required for the specific resources and operations. Prefer data-plane roles over broad Owner/Contributor where possible.
Separate identities and rotation
  • Use a dedicated service principal per integration and workload. Avoid reusing identities across environments.
Monitoring and compliance
  • Enable Activity log and Microsoft Entra logs and set alerts for unusual behavior.
  • Periodically review role assignments and remove unused access.

Related content

Confluent documentation:

Microsoft Azure documentation: