ARM deployment updates

Author: Manika Dhiman

azure-local/deploy/deploy-via-portal.md

@@ -3,21 +3,18 @@ title: Deploy an Azure Local instance using the Azure portal
 description: Learn how to deploy an Azure Local instance from the Azure portal
 author: alkohli
 ms.topic: how-to
-ms.date: 05/01/2025
+ms.date: 05/06/2025
 ms.author: alkohli
 ms.service: azure-local
 #CustomerIntent: As an IT Pro, I want to deploy an Azure Local instance of 1-16 machines via the Azure portal so that I can host VM and container-based workloads on it.
 ---
 
 # Deploy Azure Local using the Azure portal
 
-> Applies to: Azure Local 2503 and later
+::: moniker range=">=azloc-2503"
 
 This article helps you deploy an Azure Local instance using the Azure portal.
 
-> [!IMPORTANT]
-> The Azure portal will block deployments of Azure Local for versions 2411.3 or earlier. To deploy these versions, use an Azure Resource Manager (ARM) template. For more information, see [Deploy Azure Local via Azure Resource Manager deployment template](./deployment-azure-resource-manager-template.md).
-
 ## Prerequisites
 
 - Completion of [Register your machines with Azure Arc and assign deployment permissions](./deployment-arc-register-server-permissions.md).
@@ -339,3 +336,11 @@ You might need to connect to the system via RDP to deploy workloads. Follow thes
 
 - If you didn't create workload volumes during deployment, create workload volumes and storage paths for each volume. For details, see [Create volumes on Azure Local and Windows Server clusters](/windows-server/storage/storage-spaces/create-volumes) and [Create storage path for Azure Local](../manage/create-storage-path.md).
 - [Get support for Azure Local deployment issues](../manage/get-support-for-deployment-issues.md).
+
+::: moniker-end
+
+::: moniker range="<=azloc-24113"
+
+To deploy Azure Local versions 2411.3 or earlier, use the **create-cluster-2411.3** Azure Resource Manager (ARM) template. For more information, see [Deploy Azure Local via Azure Resource Manager deployment template](./deployment-azure-resource-manager-template.md).
+
+::: moniker-end

azure-local/deploy/deployment-arc-register-server-permissions.md

@@ -3,7 +3,7 @@ title: Register your Azure Local machines with Azure Arc and assign permissions
 description: Learn how to Register your Azure Local machines with Azure Arc and assign permissions for deployment. 
 author: alkohli
 ms.topic: how-to
-ms.date: 05/05/2025
+ms.date: 05/06/2025
 ms.author: alkohli
 ms.service: azure-local
 ms.custom: devx-track-azurepowershell
@@ -187,6 +187,13 @@ This section describes how to assign Azure permissions for deployment from the A
 
 1. In the right pane, go to **Role assignments**. Verify that the deployment user has all the configured roles.
 
+1. In the Azure portal, go to **Microsoft Entra Roles and Administrators** and assign the **Cloud Application Administrator** role permission at the Microsoft Entra tenant level.
+
+    :::image type="content" source="media/deployment-arc-register-server-permissions/cloud-application-administrator-role-at-tenant.png" alt-text="Screenshot of the Cloud Application Administrator permission at the tenant level." lightbox="./media/deployment-arc-register-server-permissions/cloud-application-administrator-role-at-tenant.png":::
+
+    > [!NOTE]
+    > The Cloud Application Administrator permission is temporarily needed to create the service principal. After deployment, this permission can be removed. 
+
 ## Next steps
 
 After setting up the first machine in your instance, you're ready to deploy using Azure portal:

azure-local/deploy/deployment-azure-resource-manager-template.md

@@ -3,7 +3,7 @@ title: Azure Resource Manager template deployment for Azure Local, version 23H2
 description: Learn how to prepare and then deploy Azure Local instance, version 23H2 using the Azure Resource Manager template.
 author: alkohli
 ms.topic: how-to
-ms.date: 05/01/2025
+ms.date: 05/06/2025
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.service: azure-local
@@ -24,12 +24,63 @@ This article details how to use an Azure Resource Manager template in the Azure
 - Completion of [Register your machines with Azure Arc and assign deployment permissions](./deployment-arc-register-server-permissions.md). Make sure that:
   - All machines are running the same version of OS.
   - All the machines have the same network adapter configuration.
+
+::: moniker range="<=azloc-24113"
+
 - For Azure Local 2411.3 and earlier versions, make sure to select the **create-cluster-2411.3** template for deployment.
 
+::: moniker-end
+
 ## Step 1: Prepare Azure resources
 
 Follow these steps to prepare the Azure resources you need for the deployment:
 
+### Create a service principal and client secret
+
+To authenticate your system, you need to create a service principal and a corresponding **Client secret** for Arc Resource Bridge (ARB).
+
+### Create a service principal for ARB
+
+Follow the steps in [Create a Microsoft Entra application and service principal that can access resources via Azure portal](/entra/identity-platform/howto-create-service-principal-portal) to create the service principal and assign the roles. Alternatively, use the PowerShell procedure to [Create an Azure service principal with Azure PowerShell](/powershell/azure/create-azure-service-principal-azureps).
+
+The steps are also summarized here:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a Cloud Application Administrator. Browse to **Identity > Applications > App registrations** then select **New registration**.
+
+1. Provide a **Name** for the application, select a **Supported account type**, and then select **Register**.
+
+    :::image type="content" source="./media/deployment-azure-resource-manager-template/create-service-principal-1a.png" alt-text="Screenshot showing Register an application for service principal creation." lightbox="./media/deployment-azure-resource-manager-template/create-service-principal-1a.png":::
+
+1. Once the service principal is created, go to the **Enterprise applications** page. Search for and select the SPN you created.
+
+   :::image type="content" source="./media/deployment-azure-resource-manager-template/create-service-principal-2a.png" alt-text="Screenshot showing search results for the service principal created." lightbox="./media/deployment-azure-resource-manager-template/create-service-principal-2a.png":::
+
+1. Under properties, copy the **Application (client) ID**  and the **Object ID** for this service principal.
+
+   :::image type="content" source="./media/deployment-azure-resource-manager-template/create-service-principal-2b.png" alt-text="Screenshot showing Application (client) ID and the object ID for the service principal created." lightbox="./media/deployment-azure-resource-manager-template/create-service-principal-2b.png":::
+
+    You use the **Application (client) ID** against the `arbDeploymentAppID` parameter and the **Object ID** against the `arbDeploymentSPNObjectID` parameter in the Resource Manager template.
+
+### Create a client secret for ARB service principal
+
+1. Go to the application registration that you created and browse to **Certificates & secrets > Client secrets**.
+1. Select **+ New client** secret.
+
+    :::image type="content" source="./media/deployment-azure-resource-manager-template/create-client-secret-1.png" alt-text="Screenshot showing creation of a new client secret." lightbox="./media/deployment-azure-resource-manager-template/create-client-secret-1.png":::
+
+1. Add a **Description** for the client secret and provide a timeframe when it **Expires**. Select **Add**.
+
+    :::image type="content" source="./media/deployment-azure-resource-manager-template/create-client-secret-2.png" alt-text="Screenshot showing Add a client secret blade." lightbox="./media/deployment-azure-resource-manager-template/create-client-secret-2.png":::
+
+1. Copy the **client secret value** as you use it later.
+
+    > [!Note]
+    > For the application client ID, you will need it's secret value. Client secret values can't be viewed except for immediately after creation. Be sure to save this value when created before leaving the page.
+
+    :::image type="content" source="./media/deployment-azure-resource-manager-template/create-client-secret-3.png" alt-text="Screenshot showing client secret value." lightbox="./media/deployment-azure-resource-manager-template/create-client-secret-3.png":::
+
+    You use the **client secret value** against the `arbDeploymentAppSecret` parameter in the Resource Manager template.
+
 ### Get the object ID for Azure Local Resource Provider
 
 This object ID for the Azure Local Resource Provide (RP) is unique per Azure tenant.
@@ -76,9 +127,13 @@ With all the prerequisite and preparation steps complete, you're ready to deploy
 
     :::image type="content" source="./media/deployment-azure-resource-manager-template/deploy-arm-template-3a.png" alt-text="Screenshot showing template selected." lightbox="./media/deployment-azure-resource-manager-template/deploy-arm-template-3a.png":::
 
+::: moniker range="<=azloc-24113"
+
     > [!NOTE]
     > For Azure Local 2411.3 and earlier versions, make sure to select the **create-cluster-2411.3** template for deployment.
 
+::: moniker-end
+
 1. On the **Basics** tab, you see the **Custom deployment** page. You can select the various parameters through the dropdown list or select **Edit parameters**.
 
     :::image type="content" source="./media/deployment-azure-resource-manager-template/deploy-arm-template-4a.png" alt-text="Screenshot showing Custom deployment page on the Basics tab." lightbox="./media/deployment-azure-resource-manager-template/deploy-arm-template-4a.png":::