How to create an Azure Service Principal for running your Powershell Scripts

An Azure Service Principal can be thought of as a service account, which you can use for logging in as an application I a Powershell script for example. The good thing about using a Service Principal is that you can much easier control access rights and passwords(Secrets) for the service principal than you can with a user.

So for example let’s say you create a Service Principal for a specific application, now this service principal will only have access to the specific resources you have granted access to. It also won’t take up any licenses like a user normally would.

Now if you want to learn more about Service Principals I highly suggest you read the Microsoft Docs which can be found here

But if you are more interested in just learning how to create one and how it works, then just keep on reading.

Prerequisites

Now there are a couple of prerequisites you will need to have in place for this to work:

First of all, you will need to make sure you have the Az Powershell module installed:

Install-Module Az

Next, you will need an account that has at least the  “Contributor” Role on your subscription.

To check this open:

“Azure Portal” –> “Subscriptions” 

Click on your subscription

Then click on “Access Control (IAM)” and on “Role Assignment”

Here you should find your user account listed as at least contributor, but “Owner” will work as well.

Creating the Service Principal

To create the Service Principal you will need to be connected to Azure through a Powershell terminal. Here you will need the module “Az”.

To connect run the following command:

Connect-AzAccount -Credential $cred -Subscription $SubscriptionId

You can find your subscription id in the same page in the Azure Portal where you checked your user account Subscription Role.

Then for creating the Service Principal, run the following:

$sp = New-AzADServicePrincipal -DisplayName "azure-automation-sp"

Once the command has run, the object $sp will now contain: Id and DIsplayName which can be used for signing in with the service principal, It is a good idea to take note of the Id

You can create a secret for your Service Principal to which will be used as a password to log in with. To do this go to:

“Azure Portal” –> “Azure Active Directory” –> “App registrations” 

Click on “All applications” and click on your newly created Service Principal

then click on “Certificates & Secrets” and click on “+ New client secret”

Then you will need to give the secret a description and an expiration date.

Once this is done, your secret will be shown to you, here you will need to copy the secret and save it somewhere safe. Once you move away from this page you will not be able to see the secret anymore. If this happens you can always delete the old secret and create a new one.

How to verify the service principal was created successfully

To verify that it worked you can go to:

“Azure Portal” –> “Azure Active Directory” –> “App Registrations”

Click on “All applications”

And here you should see your new Service Principal:

Signing In with a Service Principal

Now we need to test that the Service Principal works and that we can connect to Azure through a Powershell terminal.

But before you can sign in you will need your tenant id. To find this you can run the following command:

(Get-AzContext).Tenant.Id

Then, to sign in with a service principal you can run the following code:

$user = "<application id>"
$pass = ConvertTo-SecureString "<Service Principal Secret" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant "<Tenant Id>"

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies. By continuing to use this site, you accept our use of cookies.