How To Easily Create An Azure Service Principal (Step-by-Step)
Creating an Azure Service Principal can be a great way to securely and efficiently access Azure resources for your applications and services. Sadly, from my experience, it is not as well documented as you’d hope for. Therefore, we will have a look at how to create an Azure Service Principal in a step-by-step manner.
- What is an Azure Service Principal, and why do we need to create one?
- How to create an Azure Service Principal using the CLI?
- How to create an Azure Service Principal through the Azure Portal?
- Problems that can occur
- Conclusion
What is an Azure Service Principal, and why do we need to create one?
An Azure Service Principal is a special type of identity that is used by applications and services to access Azure resources securely and with specific permissions. This is similar to a user account, but it is intended for non-human access (i.e. with a CI/CD pipeline as we can see in this post on creating an azure container app deployment) and can be easily managed and controlled.
There are several reasons why you might want to create an Azure Service Principal:
- To allow applications and services to access Azure resources without using a user account.
- To control and manage the permissions of applications and services in Azure.
- To enable automated processes and services to access Azure resources without human intervention.
- To improve the security of your Azure environment by using separate identities for different purposes.
You can create an Azure Service Principal in two ways. The first one is using the Azure CLI and the second way is through the Azure Portal. I recommend you use the first method because it is a lot easier and saves you a lot of time. In case you do not want to use the CLI or you only have access to the Azure Portal, use the second method.
How to create an Azure Service Principal using the CLI?
If you prefer to use the command line, you can also create an Azure Service Principal using the Azure CLI. This involves the following steps:
- Install the Azure CLI and sign in to your Azure account using the
az login
command. - Create a new Azure Service Principal using the
az ad sp create-for-rbac
command (if you encounter an error, check here):
{content|example} if you find this inside the code then the content before | is what you need to enter, and the content after the | is an example.
Need help or want to share feedback? Join my discord community!
az ad sp create-for-rbac --name {principalname} --role {role|Contributor} --scopes {scope|/subscriptions/{subscription}/resourceGroups/{resourcegroup}}
- Make sure to copy the
appId
,password
andtenant
somewhere safe, as they will be needed to authenticate as the service principal. You have to copy it from a result that looks like this:
{
"appId": "...",
"displayName": "test-principal",
"password": "...",
"tenant": "..."
}
- Grant specific permissions to the service principal using the
az role assignment create
command (you only have to do this if you want to add another role, or change the original):
az role assignment create --assignee {appid} --role {role|Contributor} --scope {scope|/subscriptions/{subscription}/resourceGroups/{resourcegroup}}
- Finally, you can use the
appId
,password
andtenant
to authenticate and authorize your applications and services to access Azure resources using the Azure Service Principal.
az login --service-principal -u {appid} -p {password} --tenant {tenant}
Note that the az ad sp create-for-rbac
command is a convenient way to create an Azure Service Principal and grant it the necessary permissions in a single step. You can also use the az ad sp list
and az ad sp delete
commands to manage your Azure Service Principals from the command line.
How to create an Azure Service Principal through the Azure Portal?
Creating an Azure Service Principal using the Azure portal is a process that involves the following steps:
If this guide is helpful to you and you like what I do, please support me with a coffee!
- Open the Azure portal and sign in with your Azure account.
- In the left menu, click on “Azure Active Directory” and then select “App registrations” from the submenu.
- Click on the “New registration” button to create a new app registration.
- Enter a name for your app registration and select the supported account types. For example, you can choose “Single tenant” if you only want to allow users from your own organization to access the app.
- Click on the “Register” button to create the app registration.
- Once the app registration is created, click on the “Certificates & secrets” option in the left menu and then select the “New client secret” option.
- Enter a description and expiration date for the client secret, and then click on the “Add” button to create it.
- Make sure to copy the client secret value somewhere safe, as it will only be shown once and cannot be retrieved later.
- Finally, go to the resource group you want the service principal to access. When you are there, click on “Access Control (IAM)” and then click on “Add>Add role assignment”.
- Click on the role you want to assign (i.e. Contributor). Then go to member, select assign access to “User, group, or service principal”, and then “Select member”.
- Type the name of the service principal and then select it. Afterward, click on “Review + assign”.
Problems
- Unable to create service principal with azure cli from git bash shell, no connection adapters were found. -> If you encounter this bug, use Windows Powershell
Conclusion
In conclusion, creating an Azure Service Principal is a useful and powerful way to securely and efficiently access Azure resources for your applications and services. While the process is not always well-documented, it is relatively straightforward and can be done using either the Azure CLI or the Azure Portal. By following the steps outlined in this article, you can create an Azure Service Principal and grant it the necessary permissions to access your Azure resources. This can help improve the security of your Azure environment, enable automated processes and services, and control and manage the access of applications and services to your Azure resources.
To stay up-to-date with my latest blog posts on software engineering and updates on my personal projects, make sure to subscribe to my monthly newsletter.
[convertkit form=2303042]