MS Azure

When creating layers in an Azure environment, you must use an MS Azure connector configuration. This article describes the fields included in an Azure connector configuration settings. For more about connector configurations and how to add new ones, see Connector configurations.

A connector configuration contains the credentials that the appliance uses to access a specific location in Azure. Your organization can have one Azure account and several storage locations. You need a connector configuration for the appliance to access each storage location.

Before you create an Azure connector configuration

This section explains:

  • The Azure account information required to create this connector configuration.
  • The Azure storage you need for App Layering.
  • The servers that the appliance communicates with.

Required Azure account information

The Azure connector configuration requires the following information.

Azure connector configuration

  • Name - A name you use for a new connector configuration.
  • Subscription ID - To deploy Azure virtual machines, your organization must have a subscription ID.
  • Tenant ID - An Azure Active Directory instance, this GUID identifies your organization’s dedicated instance of Azure Active Directory (AD).
  • Client ID - An identifier for the App Registration, which your organization has created for App Layering.
  • Client Secret - The password for the Client ID you are using. If you have forgotten the Client Secret, you can create a new one. Note: Client secrets are logically associated with Azure tenants, so each time you use a new subscription and Tenant ID, you must use a new Client Secret.
  • Standard Azure storage (required): A storage account for Azure virtual machines (VHD files), the template file that you use to deploy Azure virtual machines, and the boot diagnostics files for those machines. When you specify Premium storage, which is optional, the virtual machines are stored there, and the template and boot diagnostics files remain in Standard storage.

    The storage account must already have been created in the Azure portal, and the name you enter must match the name in the portal. For details, see Create a storage account below.

  • Premium storage (optional): Optional additional storage for Azure virtual machines (VHD files). Premium storage only supports page blobs and cannot be used to store the template file for deploying Azure virtual machines or the boot diagnostics files for those virtual machines. When you specify a premium storage account, the virtual machine sizes available are limited to those that support premium storage.

    The storage account must already have been created in the Azure portal, and the name you enter must match the name in the portal. For details, see Create a storage account below.

Required Azure storage account

Any account you use for App Layering must meet the following requirements:

  • Must not be a classic storage account.
  • Must be separate from the storage account used for the appliance.
  • Must be in the Azure location where you plan to deploy virtual machines.
  • Can be located in any resource group, as long as the resource group’s location is the same as the account’s location.

Required Standard storage account

One of the following types of Standard Azure storage accounts is required to create a connector configuration.

  • Standard Locally Redundant storage (LRS)
  • Standard Geo-Redundant storage (GRS)
  • Standard Read-Access Geo-Redundant storage (RAGRS)

Premium storage account

In addition to the required Standard account, you can use Premium storage to store your App Layering virtual machine disks.

Servers that the appliance communicates with

Using this connector, the appliance communicates with the following servers:


The appliance requires network connections with these servers.

Set up your Azure subscription(s)

Use the following procedures for each Azure subscription that you want to connect to using the App Layering appliance.

Set up and retrieve your Azure credentials

To retrieve Azure credentials when adding a new Azure connector configuration:

  • Identify your Azure Subscription ID.
  • Create an App Registration in Azure Active Directory.
  • Retrieve the Azure Tenant ID, Client ID, and Client Secret from the App Registration.
  • Create a new storage account, or use an existing one inside the subscription. The output of this is the Storage Account Name.

Identify the correct Azure Subscription ID

  1. Go to the Azure portal.
  2. In the left sidebar, click Subscriptions. When Subscriptions isn’t listed, click More Services and search for Subscriptions in that window.
  3. In the Subscriptions window, locate and click the Azure subscription you want to use for your deployment.
  4. On the next menu, click Overview. The Subscription ID is located in the top left of the window that appears.
  5. Enter the information from the Subscription ID box in the App Layering Azure Connector UI.

Create an app registration for each Azure subscription

You must create a new app registration for each Azure subscription for which you want to create connector configurations.


You can use one Azure subscription for multiple Azure connector configurations.

To create an app registration:

  1. Log into the Azure portal.
  2. In the left sidebar, click Azure Active Directory. When this isn’t listed, click More Services and search for Azure Active Directory.
  3. In the menu that appears, click App registrations.
  4. Click New application registration in top of the new window. A new form appears to fill out.
  5. In the Name field, type a descriptive name, such as Citrix App Layering access.
  6. For Application type, select Web app / API.
  7. For Sign-on URL, type http://nothing.
  8. Click Create.
  9. In the list of App registrations, click the new app registration that you created in the preceding procedure. It contains the name you entered.
  10. In the new window that appears, the Application ID appears near the top. Enter this value into the Client ID box in the App Layering Azure Connector UI.
  11. In the Settings menu on the right, click Properties.
  12. Find the App ID URI field in the Properties window that appears.
  13. The Tenant ID you need is in the middle of the App ID URI. The Tenant ID is everything after the https:// portion of the App ID URI, up until the next slash. For example, if your App ID URI is this: Then your Tenant ID is this:
  14. Copy the Tenant ID and enter it into the Tenant ID box in the App Layering Azure Connector UI.
  15. In the Settings menu, click Keys.
  16. In the Keys window that appears, click Key description and type a description, such as App Layering Key 1.
  17. Click the drop-down menu under Expires and select any value.
  18. Click Save at the top of the Keys window.
  19. The key value appears under Value and is your Client Secret. Type this value into the Client Secret box in the App Layering Azure Connector UI.


    This key does not appear again after you close this window. This key is sensitive information. Treat the key like a password that allows administrative access to your Azure subscription. Open the settings of the app registration you just created in Azure Active Directory > App registrations > [name you just entered] > Settings > Properties.

  20. Click Subscriptions in the left sidebar. This closes all open windows and brings you to the Subscriptions window. When Subscriptions isn’t listed, click More Services and search for Subscriptions in that window
  21. Click the subscription you are using for this connector.
  22. In the menu that opens, click Access Control (IAM).
  23. In the window that appears, click Add on the top bar.
  24. The Add permissions form appears on the right. Click the drop-down for Role and select Contributor.
  25. In the Select box, type Citrix App Layering Access or use the name you entered for the Application registration in step 5 and then press Enter.
  26. Click that name you configured, such as Citrix App Layering Access (or the name you used).
  27. Click Save on the bottom of this form.

You have now set up an Azure app registration that has read/write access to your Azure subscription.

Set up the necessary Storage Account(s)

The Azure storage account(s) are where the App Layering software stores all images imported from and published to Azure (virtual hard disks, or VHDs), along with the template file that you use to deploy Azure virtual machines, and the boot diagnostics files for those machines.

Use existing storage account

You can use an existing storage account. It must meet these requirements:

  • Cannot be a classic storage account.
  • Must be in the same subscription you’ve already used in this connector.

When these requirements are met you can:

  • Enter the Name of the storage account in the Storage account name field in the App Layering Azure connector configuration wizard.

Create a new storage account

If you don’t have a storage account, you must create one.

  1. Click Storage accounts in the left sidebar. Do not select Storage Accounts classic. When Storage isn’t listed, click More Services and search for Storage accounts there.
  2. In the Storage accounts window that appears, click Add.
  3. In Name, enter a name that you’ll remember.
  4. In Deployment model, select Resource manager.
  5. In Account kind, select General purpose.
  6. In Performance, select Standard or Premium, based on the type of storage account you need.
  7. In Replication, any value is OK. Read more about the choices here.
  8. In Storage service encryption, select Disabled.
  9. In Subscription, select the same subscription you have been using throughout this process.
  10. In Resource group, select Create New and enter a name that is similar to your Storage account’s name.
  11. In Location, select a location that is closest to your organization.
  12. Click Create.
  13. In the App Layering Azure Connector UI, enter the Storage account name.

What to do if your Azure Client Secret is lost

You can generate a new Azure Client Secret. For details, see the steps in the Create an app registration for each Azure subscription section earlier in this article.

Add a Connector Configuration

When all requirements are ready, create an Azure connector configurtation:

  1. In the wizard for creating a Layer or for adding a Layer Version, click the Connector tab.
  2. Under the list of Connector Configurations, click New. A dialog box open.
  3. Select the Connector Type for the platform and location where you are creating the Layer or publishing the image. Then click New to open the Connector Configuration page.
  4. Complete the fields on the Connector Configuration page. For guidance, see the field definitions.
  5. Click the TEST button to verify that the appliance can access the location specified using the credentials supplied.
  6. Click Save. The new Connector Configuration appears on the Connector tab.

Azure data structure (Reference)

The Azure data structure is as follows:


  • Tenant ID
  • App Registration
    • Client ID
    • Client Secret
  • Subscription
  • Subscription ID
    • Storage Account
      • Storage Account Name


  • Tenant is your Azure Active Directory instance that users and applications can use to access Azure. The Tenant is identified by your Tenant ID. A Tenant can have access to one or more Azure Subscriptions.
  • The Azure Active Directory Tenant contains two types of accounts.
    • A User Account for logging into the Azure portal (
    • An App Registration for accessing the subscription has a Client ID.
      • The Client ID has a Client Secret, instead of a password.
      • Users can generate the Client Secret, and delete it.
  • An Azure Subscription contains everything that can be created in Azure, except for user accounts.
  • A Subscription contains Storage Accounts. This is where App Layering VHDs are stored. It is identified by a Storage Account Name.