An Azure service principal is a security identity used by applications, services, and automation tools to access designated Azure resources. The service principal is a ‘user identity’ (username and password) with an assigned role/permissions in Azure Active Directory (AAD). The service principal should only need to do specific things, unlike a general user identity. In this example, a new Service Principal will be created in AAD and assigned to an Azure Resource Group. Read here for the steps to register a new Service Principal using the Azure ARM Portal
Using PowerShell
1. #Login to Azure Subscription
|
1 |
Connect-AzureRmAccount -Subscription <Your Subscription Name> |
2. #Declare Variables
|
1 2 3 |
$subscriptionId = <YOUR SUBSCRIPTION ID> $tenantId = <YOUR TENANT ID> $securePassword = ConvertTo-SecureString -AsPlainText -Force -String 'YOUR SECURE PASSWORD OF CHOICE' |
3. Create the Azure Active Directory Application
|
1 2 3 4 5 |
$azureAdApplication = New-AzureRmADApplication` -DisplayName "Login"` -HomePage "http://alvarnet.com"` -IdentifierUris "http://alvarnet.com"` -Password $securePassword |
4. #Create the service principal for the new Azure AD Application
|
1 |
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId |
5. #Assign the Service Principal the Contributor Role
|
1 2 |
New-AzureRmRoleAssignment -RoleDefinitionName Contributor` -ServicePrincipalName $azureAdApplication.ApplicationId |
6. #Login to Azure Subscription Using the new Service Principal
|
1 2 3 4 5 6 7 8 |
$subscription = Get-AzureRmSubscription -SubscriptionName <YOUR SUBSCRIPTION NAME> $azureAdApplicationCred = Get-Credential` -UserName $azureAdApplication.ApplicationId` -Message 'Enter password' Connect-AzureRmAccount -ServicePrincipal -SubscriptionId $subscription.SubscriptionId` -Tenant $subscription.TenantId` -Credential $azureAdApplicationCred |
In the Azure portal, the Login Service Principal is listed in the Azure Active Directory App Registrations:
