docs(azure-batch): correct credential field labels and managed identity guidance

[justinegeffen]

Summary

Cloud-side companion to the Azure Batch get-well docs work. Sourced from the engineering Confluence page on Azure Batch Entra Credentials & Managed Identity. The same fixes are being applied separately to the enterprise doc on the get-well branch.

Tier 1 (correctness)

• Fix swapped Tenant ID / Client ID field labels in the Entra credential instructions. Tenant ID maps to Directory (tenant) ID in Azure; Client ID maps to Application (client) ID.
• Add Managed Identity Operator role to the service principal role list. Without this role, Seqera cannot attach the managed identity to a Batch pool.
• Rename Azure Batch Data Contributor to Azure Batch Contributor — the built-in role sufficient for management-plane pool creation, narrower than general Contributor.
• Consolidate the storage role to Storage Blob Data Contributor (the previously-listed Storage Blob Data Reader was redundant — Contributor is a superset).

Tier 2 (conceptual gaps)

• Document why managed identities require Entra credentials: pool creation with MI uses the Azure Batch management plane, which only accepts AAD tokens. Shared-key credentials cannot create pools with managed identities.
• Add AcrPull role guidance on the managed identity for Azure Container Registry image pulls.
• Document the four managed identity fields in the compute environment form (a client ID and a resource ID for both head and worker pool):
  • Resource IDs are used to attach the managed identity to the pool VMs at pool-create time.
  • Client IDs are used by Nextflow, Fusion, and AzCopy on the pool VM to tell the Azure Instance Metadata Service which managed identity to mint a token for.
• Document how the four fields work for single-pool vs dual-pool topologies.

Test plan

• Verify Azure Batch Contributor is the correct built-in role name with engineering (Jon Martí or Forge team)
• Confirm removing Storage Blob Data Reader from the SP role list doesn't break any documented setup
• Visual review of the rendered Managed identity section in the deploy preview

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for seqera-docs ready!

Name	Link
🔨 Latest commit	b446ffc
🔍 Latest deploy log	https://app.netlify.com/projects/seqera-docs/deploys/6a28486b42c5550008f1c21d
😎 Deploy Preview	https://deploy-preview-1396--seqera-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[justinegeffen]

fix formatting

[justinegeffen]

@jonmarti, I opened this PR based on the Confluence pages you shared. Curious as to whether these changes are accurate.

[jonmarti]

Hey Justine — apologies for the late review, this one slipped past me when you opened it two weeks ago. 🙏

One small thing on the PR description: the Tier 1 section calls the role Azure Batch Contributor ("Rename Azure Batch Data Contributor to Azure Batch Contributor"). That's actually the regression I flagged in the inline comment — Data Contributor was already correct in the previous version of the doc and is the right name to keep. Worth dropping that rename bullet from the description so it matches what we end up shipping.

And the Test plan item "Verify Azure Batch Contributor is the correct built-in role name with engineering (Jon Martí or Forge team)" — confirmed: it's not, per Microsoft Learn and the resolved thread on #1315. Everything else in the PR looks great.