https://community.cloudera.com/t5/Support-Questions/CDP-on-Azure-Creation-failed-freelpa-creation-operation/m-p/304304#M221976 <P>Hi Valerio,</P><P>&nbsp;</P><P>First, regarding the app role, I think the quick start doc page is out of date (I reported this to our doc team).</P><P>You do not need to create a custom role, as long as you create your credential app like this (replace subscriptionId with your ID):</P><LI-CODE lang="python">az ad sp create-for-rbac \ --name http://your-cloudbreak-app \ --role Contributor \ --scopes /subscriptions/{subscriptionId}</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Secondly, did you run <A href="https://docs.cloudera.com/management-console/cloud/azure-quickstart/topics/mc-azure-quickstart-assign-roles.html" target="_self">step 3</A> completely?</P><P>Specifically, after the quick start, make sure to run this in an Azure bash shell post quickstart deployment (replace YOUR_SUBSCRIPTION_ID and YOUR_RG with the values used in quickstart):</P><LI-CODE lang="python">export SUBSCRIPTIONID="YOUR_SUBSCRIPTION_ID" export RESOURCEGROUPNAME="YOUR_RG" export STORAGEACCOUNTNAME=$(az storage account list -g $RESOURCEGROUPNAME|jq '.[]|.name'| tr -d '"') export ASSUMER_OBJECTID=$(az identity list -g $RESOURCEGROUPNAME|jq '.[]|{"name":.name,"principalId":.principalId}|select(.name | test("AssumerIdentity"))|.principalId'| tr -d '"') export DATAACCESS_OBJECTID=$(az identity list -g $RESOURCEGROUPNAME|jq '.[]|{"name":.name,"principalId":.principalId}|select(.name | test("DataAccessIdentity"))|.principalId'| tr -d '"') export LOGGER_OBJECTID=$(az identity list -g $RESOURCEGROUPNAME|jq '.[]|{"name":.name,"principalId":.principalId}|select(.name | test("LoggerIdentity"))|.principalId'| tr -d '"') export RANGER_OBJECTID=$(az identity list -g $RESOURCEGROUPNAME|jq '.[]|{"name":.name,"principalId":.principalId}|select(.name | test("RangerIdentity"))|.principalId'| tr -d '"') # Assign Managed Identity Operator role to the assumerIdentity principal at subscription scope az role assignment create --assignee $ASSUMER_OBJECTID --role 'f1a07417-d97a-45cb-824c-7a7467783830' --scope "/subscriptions/$SUBSCRIPTIONID" # Assign Virtual Machine Contributor role to the assumerIdentity principal at subscription scope az role assignment create --assignee $ASSUMER_OBJECTID --role '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' --scope "/subscriptions/$SUBSCRIPTIONID" # Assign Storage Blob Data Contributor role to the loggerIdentity principal at logs filesystem scope az role assignment create --assignee $LOGGER_OBJECTID --role 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/logs" # Assign Storage Blob Data Owner role to the dataAccessIdentity principal at logs/data filesystem scope az role assignment create --assignee $DATAACCESS_OBJECTID --role 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/data" az role assignment create --assignee $DATAACCESS_OBJECTID --role 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/logs" # Assign Storage Blob Data Contributor role to the rangerIdentity principal at data filesystem scope az role assignment create --assignee $RANGER_OBJECTID --role 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' --scope "/subscriptions/$SUBSCRIPTIONID/resourceGroups/$RESOURCEGROUPNAME/providers/Microsoft.Storage/storageAccounts/$STORAGEACCOUNTNAME/blobServices/default/containers/data" </LI-CODE><P><BR /><BR /></P><P>Let me know if that works out for you.</P> Tue, 13 Oct 2020 21:25:22 GMT pvidal 2020-10-13T21:25:22Z