Table of Contents
An Azure Service Principal can be thought of as a service account, which you can use for logging in as an application I a Powershell script for example. The good thing about using a Service Principal is that you can much easier control access rights and passwords(Secrets) for the service principal than you can with a user.
So for example let’s say you create a Service Principal for a specific application, now this service principal will only have access to the specific resources you have granted access to. It also won’t take up any licenses like a user normally would.
Now if you want to learn more about Service Principals I highly suggest you read the Microsoft Docs which can be found here
But if you are more interested in just learning how to create one and how it works, then just keep on reading.
Now there are a couple of prerequisites you will need to have in place for this to work:
First of all, you will need to make sure you have the Az Powershell module installed:
Next, you will need an account that has at least the “Contributor” Role on your subscription.
To check this open:
“Azure Portal” –> “Subscriptions”
Click on your subscription
Then click on “Access Control (IAM)” and on “Role Assignment”
Here you should find your user account listed as at least contributor, but “Owner” will work as well.
Creating the Service Principal
To create the Service Principal you will need to be connected to Azure through a Powershell terminal. Here you will need the module “Az”.
To connect run the following command:
Connect-AzAccount -Credential $cred -Subscription $SubscriptionId
You can find your subscription id in the same page in the Azure Portal where you checked your user account Subscription Role.
Then for creating the Service Principal, run the following:
$sp = New-AzADServicePrincipal -DisplayName "azure-automation-sp"
Once the command has run, the object $sp will now contain: Id and DIsplayName which can be used for signing in with the service principal, It is a good idea to take note of the Id
You can create a secret for your Service Principal to which will be used as a password to log in with. To do this go to:
“Azure Portal” –> “Azure Active Directory” –> “App registrations”
Click on “All applications” and click on your newly created Service Principal
then click on “Certificates & Secrets” and click on “+ New client secret”
Then you will need to give the secret a description and an expiration date.
Once this is done, your secret will be shown to you, here you will need to copy the secret and save it somewhere safe. Once you move away from this page you will not be able to see the secret anymore. If this happens you can always delete the old secret and create a new one.
How to verify the service principal was created successfully
To verify that it worked you can go to:
“Azure Portal” –> “Azure Active Directory” –> “App Registrations”
Click on “All applications”
And here you should see your new Service Principal:
Signing In with a Service Principal
Now we need to test that the Service Principal works and that we can connect to Azure through a Powershell terminal.
But before you can sign in you will need your tenant id. To find this you can run the following command:
Then, to sign in with a service principal you can run the following code:
$user = "<application id>" $pass = ConvertTo-SecureString "<Service Principal Secret" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential($user,$pass) Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant "<Tenant Id>"