An Azure service principal is a security identity used by applications, services, and automation tools to access designated Azure resources. The service principal is a ‘user identity’ (username and password) with an assigned role/permissions in Azure Active Directory (AAD). The service principal should only need to do specific things, unlike a general user identity. In this example, a new Service Principal will be created in AAD and assigned to an Azure Resource Group. Read here for the steps to register a new Service Principal using PowerShell.
Using the Azure Portal
Adding a service principal in the Azure Portal is very straight forward.
Go to Azure Active Directory > App registrations > Add New application registration > create a Display Name > Save
Assign Name and an URL for a web app – which can be changed at any time later.
Azure assigns an Application/Client ID for the new service principal
To create the Key for the new Service Principal go to Settings > Keys > Add the Display Name into the Description > select Duration > Save
Copy/paste the Key Value saving it before leaving the Keys blade:
The new Service Principal (Login in this example) shows in the list of Azure Active Directory App registrations:
Now apply the new Service Principal ‘Login’ to a specific Resource Group (or subscription). Note that all objects in the Subscription or the Resource Group will inherit the Contributor permission for access. Go to the Resource Group or Subscription or other Azure object > Access control (IAM) > +Add > select permission level/Role that the service principal will be assigned> type in the display name of the new service principal > Select > Save. Note that all objects in the Resource Group will now inherit permission for the service principal to access them as a Contributor
This is a screen shot of the Access control (IAM) for a web app that had the Service Principal added at the Subscription level:
