Service Principal
When you want your applications, services, and tools/scripts to access Azure resources, you need an identity. This identity is called service principal. The idea is that you shouldn’t use your own account credentials to run such applications, services, and tools/scripts and it all boils down to the principle of “least privileges” and accountability. The below are common scenarios where service principal is used.
- Run Automation Tasks
- Continuous Deployment using Team Services
- Azure Runbooks
Service principals rely on a corresponding Azure AD application and the permissions and scope are directly applied to the service principal.
How Do I Create A Service Principal?
So far, we had discussed what service principal is and why we need it. Let’s go ahead and create one. You can create a service principal using Azure portal, PowerShell, and Azure CLI but in this article, I will create one using PowerShell.
Pre-requisites
- The latest version of PowerShell or higher than 5.1
- Azure PowerShell Module
- A valid Azure Subscription
- Valid permissions in Azure AD and Azure subscription to create a service principal. Check required permission, here
Once the above pre-requisites are present, follow the below steps to create a service principal.
Step 1 - Sign-in Interactively
To sign-in interactively, use Login-AzureRmAccount cmdlet. When run, a new login popup will appear as shown below. Enter username/password to authenticate PowerShell session and to get connected to Azure.
Once authenticated successfully, the below information will be displayed. Note down the SubscriptionId, as you will use the same to create a service principal.
Step 2 - Create a new Azure AD Application
To create a new Azure AD application, use the New-AzureRmADApplication cmdlets as shown below. The below three parameters are mandatory, and the rest are optional.
- DisplayName - Display name of the new application.
- IdentifierUris - The URIs that identify the application.
- Password - The password to be associated with the application.
Upon successful execution, the following output will be shown over the console. Note down the Application Id, as you will use it to create a service principal.
Step 3 - Create a new Azure AD Service Principal
To create a new Azure AD Service Principal, use the New-AzureRmADServicePrincipal cmdlets as shown below. All the parameters are optional, and if not provided, the default value will be used.
- ApplicationId
The unique application id for a service principal in a tenant. Once created this property cannot be changed. If an application id is not specified, one will be generated.
- Role
The role that the service principal has over the scope. If a value for ‘Scope’ is provided, but no value is provided for `Role`, then `Role` will default to the ‘Contributor’ role.
- Scope
The scope that the service principal has permissions on. If a value for ‘Role’ is provided, but no value is provided for ‘Scope’, then ‘Scope’ will default to the current subscription.
Upon successful execution, the following output will be shown over the console.
In this article, we learned what service principal is, why we need it, and how to create an Azure service principal (password-based) using PowerShell. In the next article, we will see how to create a service principal (certificate-based) using PowerShell. Happy learning!!!