App Layering

MS Azure


This Azure connector configuration is now deprecated and only available for a limited time. For Azure connections, use the new Azure Deployments connector configuration.

When creating layers in an Azure environment, use an MS Azure connector configuration. This article describes the fields included in Azure connector configuration settings. For more about connector configurations and how to add new ones, see Connector configurations.

A connector configuration contains the credentials that the appliance uses to access a specific location in Azure. Your organization can have one Azure account and several storage locations. You need a connector configuration for the appliance to access each storage location.


This connector is used for publishing layers. Do not use this connector for publishing templates.

Before you create an Azure connector configuration

This section explains:

  • The Azure account information required to create this connector configuration.
  • The Azure storage you need for App Layering.
  • The servers that the appliance communicates with.

Required Azure account information

The Azure connector configuration requires the following information.

Azure connector configuration

  • Name - A name you use for a new connector configuration.
  • Subscription ID - To deploy Azure virtual machines, your organization must have a subscription ID.
  • Tenant ID - An Azure Active Directory instance, this GUID identifies your organization’s dedicated instance of Azure Active Directory (AD).
  • Client ID - An identifier for the App Registration, which your organization has created for App Layering.
  • Client Secret - The password for the Client ID you are using. If you have forgotten the Client Secret, you can create a one. Note: Client secrets are logically associated with Azure tenants, so each time you use a new subscription and Tenant ID, you must use a new Client Secret.
  • Standard Azure storage (required): A storage account for Azure virtual machines (VHD files), the template file that you use to deploy Azure virtual machines, and the boot diagnostics files for the Azure virtual machines. If you specify Premium storage, which is optional, the virtual machines are stored there, and the template and boot diagnostics files remain in Standard storage.

    The storage account must already have been created in the Azure portal, and the name you enter must match the name in the portal. For details, see Set up one or more necessary storage accounts below.

  • Premium storage (optional): Optional extra storage for Azure virtual machines (VHD files). Premium storage only supports page blobs and cannot be used to store the template file for deploying Azure virtual machines or the boot diagnostics files for those virtual machines. When you specify a premium storage account, the virtual machine sizes available are limited to those that support premium storage.

    The storage account must already have been created in the Azure portal, and the name you enter must match the name in the portal. For details, see Set up one or more necessary storage accounts below.

Required Azure storage account

Any account you use for App Layering must meet the following requirements:

  • Must not be a classic storage account.
  • Must be separate from the storage account used for the appliance.
  • Must be in the Azure location where you plan to deploy virtual machines.
  • Can be located in any resource group, as long as the resource group’s location is the same as the account’s location.

Required Standard storage account

One of the following types of Standard Azure storage accounts is required to create a connector configuration.

  • Standard Locally Redundant storage (LRS)
  • Standard Geo-Redundant storage (GRS)
  • Standard Read-Access Geo-Redundant storage (RAGRS)

When creating the required Standard Storage, enable Blob Public Access for this account. Otherwise, attempts to publish images fail with the error:

"A failure occurred while creating a storage container in the Azure storage account: Public access is not permitted on this storage account."

Premium storage account

In addition to the required Standard account, you can use Premium storage to store your App Layering virtual machine disks. When creating the optional Premium Storage, Blob Public Access is not required.

Servers that the appliance communicates with

Using this connector, the appliance communicates with the following servers:


The appliance requires network connections with these servers.

Set up your Azure subscriptions

Use the following procedures for each Azure subscription that you want to connect with the App Layering appliance.

Set up and retrieve your Azure credentials

To retrieve Azure credentials when adding an Azure connector configuration:

  • Identify your Azure Subscription ID.
  • Create an App Registration in Azure Active Directory.
  • Retrieve the Azure Tenant ID, Client ID, and Client Secret from the App Registration.
  • Create a storage account, or use an existing one, inside the subscription.

Identify the correct Azure Subscription ID

  1. Go to the Azure portal.
  2. Click Subscriptions, and find the subscription you need in the list.
  3. Select and copy the Subscription ID, and paste it into the connector configuration Subscription ID field.

Create an app registration for the Azure subscription

You can use one Azure subscription for multiple Azure connector configurations. Each Azure subscription that you want to use for your App Layering connector configurations requires an app registration.

To create an app registration:

  1. Log into the Azure portal.
  2. Click Azure Active Directory. If Azure Active Directory isn’t listed, click More Services to display more choices.
  3. On the left under Manage, select App registrations.
  4. At the top of the page, click New registration. A form appears.
  5. In the Name field, type a descriptive name, such as “Citrix App Layering access”.
  6. For Supported account types, select Accounts in this organizational directory only (My Company only - Single tenant).
  7. For Redirect URL, type
  8. Click Register.
  9. In the list of App registrations, click the new app registration that you created in the preceding procedure.
  10. In the new window that appears, the Application ID appears near the top. Enter this value into the Client ID box in the connector configuration you are creating.
  11. Scroll right to see the application properties, including the Display name, Application ID, and other values.
  12. Copy the Directory (tenant) ID value and paste it into the Tenant ID field in the connector configuration.
  13. In the left column under Manage click Certificates and Secrets.
  14. Add a client secret for the App Layering application, with a description such as “App Layering Key 1”.
  15. Type the value for the new Client Secret into the connector configuration.


    This key does not appear again after you close this window. This key is sensitive information. Treat the key like a password that allows administrative access to your Azure subscription. Open the settings of the app registration you created in Azure Active Directory > App registrations > [name you just entered] > Settings > Properties.

  16. Go back to Azure Home, and click Subscriptions. If Subscriptions isn’t listed, click More Services to locate it.
  17. Click the subscription you are using for this connector.
  18. In the left panel click Access Control (IAM).
  19. On the top bar of the Access control panel, click Add and select Add role assignment.
  20. The Add role assignment form appears on the right. Click the drop-down menu for Role and select Contributor.
  21. In the Select field, type “Citrix App Layering access” or use the name you entered for the Application registration.
  22. Click the Save button at the bottom of the form.

You have now set up an Azure app registration that has read/write access to your Azure subscription.

Set up one or more necessary storage accounts

The Azure storage accounts are where the App Layering software stores all images imported from and published to Azure (virtual hard disks, or VHDs), along with the template file that you use to deploy Azure virtual machines, and the boot diagnostics files for those machines.

You can use an existing storage account, if it meets these requirements:

  • It is not a classic storage account.
  • It is in the same subscription used in the connector configuration.

In the App Layering Azure connector configuration, enter the storage account name in the Standard Storage Account field.

If you don’t have a storage account, create a standard storage account. Connector configurations require a standard account, though you can also specify a second storage account that is premium.

  1. On the Azure home page, click Storage accounts.
  2. In the Storage accounts window, click Add.
  3. In the Subscription field, select the subscription you are using.
  4. In the Resource group field, select Create New and enter a name similar to the name of the Storage account.
  5. In the Storage account name field, enter a memorable name.
  6. Select the Location.
  7. In the Performance field, if the location you chose is the only one for this connector configuration, select Standard. Otherwise, choose the best type for your needs.
  8. In the Account kind field, select general purpose v2 or general purpose v1.
  9. In the Replication field, select the type you need.
  10. For the Access tier (default), select Hot or Cold.
  11. Click Next: Networking, and select the connectivity method.
  12. Complete the remaining options under Networking, Advanced, and Tags.
  13. Select Review + Create.
  14. Finally, enter the new Storage account name in the connector configuration you are creating.

What to do if your Azure Client Secret is lost

You can generate a new Azure Client Secret using the Certificates and Secrets. For details, see the steps in the Create an app registration for each Azure subscription section earlier in this article.

Add a Connector Configuration

When the requirements are ready, create an Azure connector configuration:

  1. Click the Connectors page.
  2. Click Add Connector Configuration.
  3. In the dialog box that opens, select the Connector type for the platform and location where you are creating the layer or publishing the layered image. Then click New to open the Connector Configuration page.
  4. Complete the fields on the Connector Configuration page. For guidance, see the field definitions.
  5. Click the TEST button to verify that the appliance can access the location specified using the credentials supplied.
  6. Click Save. The new Connector Configuration appears on the Connector tab.

Azure data structure (Reference)

The Azure data structure is as follows:


  • Tenant ID
  • App Registration
    • Client ID
    • Client Secret
  • Subscription
  • Subscription ID
    • Storage Account
      • Storage Account Name


  • Tenant is your Azure Active Directory instance that users and applications can use to access Azure. The Tenant ID identifies each tenant. A tenant can have access to one or more Azure Subscriptions.
  • The Azure Active Directory Tenant contains two types of accounts.
    • A User Account for logging into the Azure portal (
    • An App Registration for accessing the subscription has a Client ID.
      • The Client ID has a Client Secret, instead of a password.
      • Users can generate the Client Secret, and delete it.
  • An Azure Subscription contains everything that can be created in Azure, except for user accounts.
  • A Subscription contains storage accounts. A storage account is where App Layering VHDs are stored. The Storage Account Name identifies the location.
MS Azure