diff --git a/README.md b/README.md
index 559b51c..46058b6 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
 
 | Name | Version |
 |------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | ~>2.53 |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~>3.114 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~>3.6 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | ~>4.0 |
@@ -76,33 +77,40 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
 ## Resources
 
 
+- resource.azuread_application.main (/terraform-docs/main.tf#205)
+- resource.azuread_service_principal.main (/terraform-docs/main.tf#211)
+- resource.azuread_service_principal_password.main (/terraform-docs/main.tf#216)
 - resource.azurerm_key_vault.main (/terraform-docs/main.tf#131)
+- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#220)
+- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#225)
 - resource.azurerm_key_vault_secret.openai_api_key (/terraform-docs/main.tf#196)
-- resource.azurerm_key_vault_secret.postgres_passwords (/terraform-docs/main.tf#352)
-- resource.azurerm_key_vault_secret.postgres_users (/terraform-docs/main.tf#341)
-- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#518)
-- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#284)
-- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#292)
-- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#210)
-- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#261)
-- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#254)
-- resource.azurerm_postgresql_flexible_server_database.main (/terraform-docs/main.tf#276)
-- resource.azurerm_postgresql_flexible_server_firewall_rule.main (/terraform-docs/main.tf#268)
+- resource.azurerm_key_vault_secret.postgres_passwords (/terraform-docs/main.tf#380)
+- resource.azurerm_key_vault_secret.postgres_users (/terraform-docs/main.tf#369)
+- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#555)
+- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#312)
+- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#320)
+- resource.azurerm_postgresql_flexible_server.main (/terraform-docs/main.tf#238)
+- resource.azurerm_postgresql_flexible_server_configuration.mandatory_configurations (/terraform-docs/main.tf#289)
+- resource.azurerm_postgresql_flexible_server_configuration.optional_configurations (/terraform-docs/main.tf#282)
+- resource.azurerm_postgresql_flexible_server_database.main (/terraform-docs/main.tf#304)
+- resource.azurerm_postgresql_flexible_server_firewall_rule.main (/terraform-docs/main.tf#296)
 - resource.azurerm_private_dns_zone.blob (/terraform-docs/main.tf#92)
 - resource.azurerm_private_dns_zone.dfs (/terraform-docs/main.tf#110)
 - resource.azurerm_private_dns_zone.file (/terraform-docs/main.tf#74)
 - resource.azurerm_private_dns_zone_virtual_network_link.blob (/terraform-docs/main.tf#98)
 - resource.azurerm_private_dns_zone_virtual_network_link.dfs (/terraform-docs/main.tf#116)
 - resource.azurerm_private_dns_zone_virtual_network_link.file (/terraform-docs/main.tf#80)
-- resource.azurerm_private_endpoint.blob (/terraform-docs/main.tf#381)
-- resource.azurerm_private_endpoint.dfs (/terraform-docs/main.tf#421)
-- resource.azurerm_private_endpoint.file (/terraform-docs/main.tf#401)
+- resource.azurerm_private_endpoint.blob (/terraform-docs/main.tf#418)
+- resource.azurerm_private_endpoint.dfs (/terraform-docs/main.tf#458)
+- resource.azurerm_private_endpoint.file (/terraform-docs/main.tf#438)
 - resource.azurerm_private_endpoint.key_vault (/terraform-docs/main.tf#157)
 - resource.azurerm_role_assignment.key_vault_secret_officer__current (/terraform-docs/main.tf#187)
 - resource.azurerm_role_assignment.key_vault_secret_user__aks (/terraform-docs/main.tf#182)
-- resource.azurerm_storage_account.main (/terraform-docs/main.tf#367)
-- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#205)
-- resource.tls_private_key.aks (/terraform-docs/main.tf#445)
+- resource.azurerm_role_assignment.storage_container_models__data_contributor (/terraform-docs/main.tf#413)
+- resource.azurerm_storage_account.main (/terraform-docs/main.tf#395)
+- resource.azurerm_storage_container.models (/terraform-docs/main.tf#409)
+- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#233)
+- resource.tls_private_key.aks (/terraform-docs/main.tf#482)
 - data source.azurerm_client_config.current (/terraform-docs/main.tf#51)
 - data source.azurerm_resource_group.main (/terraform-docs/main.tf#48)
 - data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#57)
diff --git a/main.tf b/main.tf
index 1497d49..6ff0c4d 100644
--- a/main.tf
+++ b/main.tf
@@ -201,6 +201,34 @@ resource "azurerm_key_vault_secret" "openai_api_key" {
 
 
 
+# ------ Identity ------ #
+resource "azuread_application" "main" {
+  display_name     = format("%s.nebuly.platform", var.resource_prefix)
+  owners           = [data.azurerm_client_config.current.object_id]
+  sign_in_audience = "AzureADMyOrg" # default
+  identifier_uris  = []
+}
+resource "azuread_service_principal" "main" {
+  client_id                    = azuread_application.main.client_id
+  owners                       = [data.azurerm_client_config.current.object_id]
+  app_role_assignment_required = true
+}
+resource "azuread_service_principal_password" "main" {
+  service_principal_id = azuread_service_principal.main.id
+  end_date_relative    = null
+}
+resource "azurerm_key_vault_secret" "azuread_application_client_id" {
+  key_vault_id = azurerm_key_vault.main.id
+  name         = format("%s-azure-client-id", var.resource_prefix)
+  value        = azuread_application.main.application_id
+}
+resource "azurerm_key_vault_secret" "azuread_application_client_secret" {
+  key_vault_id = azurerm_key_vault.main.id
+  name         = format("%s-azure-client-secret", var.resource_prefix)
+  value        = azuread_application.main.application_id
+}
+
+
 # ------ Database Server ------ #
 resource "random_password" "postgres_server_admin_password" {
   length           = 16
@@ -378,6 +406,15 @@ resource "azurerm_storage_account" "main" {
 
   tags = var.tags
 }
+resource "azurerm_storage_container" "models" {
+  storage_account_name = azurerm_storage_account.main.name
+  name                 = "ai-models"
+}
+resource "azurerm_role_assignment" "storage_container_models__data_contributor" {
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azuread_service_principal.main.object_id
+  scope                = azurerm_storage_container.models.id
+}
 resource "azurerm_private_endpoint" "blob" {
   name                = "${azurerm_storage_account.main.name}-blob"
   location            = var.location