How To Create Service Principal (Password-Based) With PowerShell In Azure

Service Principal

 
When you want your applications, services, and tools/scripts to access Azure resources, you need an identity. This identity is called service principal. The idea is that you shouldn’t use your own account credentials to run such applications, services, and tools/scripts and it all boils down to the principle of “least privileges” and accountability. The below are common scenarios where service principal is used.
  • Run Automation Tasks
  • Continuous Deployment using Team Services
  • Azure Runbooks
Service principals rely on a corresponding Azure AD application and the permissions and scope are directly applied to the service principal.
 

How Do I Create A Service Principal?

 
So far, we had discussed what service principal is and why we need it. Let’s go ahead and create one. You can create a service principal using Azure portal, PowerShell, and Azure CLI but in this article, I will create one using PowerShell.
 
Pre-requisites
  • The latest version of PowerShell or higher than 5.1
  • Azure PowerShell Module
  • A valid Azure Subscription
  • Valid permissions in Azure AD and Azure subscription to create a service principal. Check required permission, here
Once the above pre-requisites are present, follow the below steps to create a service principal.
 
Step 1 - Sign-in Interactively
 
To sign-in interactively, use Login-AzureRmAccount cmdlet. When run, a new login popup will appear as shown below. Enter username/password to authenticate PowerShell session and to get connected to Azure. 
 
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
Once authenticated successfully, the below information will be displayed. Note down the SubscriptionId, as you will use the same to create a service principal.
 
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
Step 2 - Create a new Azure AD Application
 
To create a new Azure AD application, use the New-AzureRmADApplication cmdlets as shown below. The below three parameters are mandatory, and the rest are optional.
  • DisplayName - Display name of the new application.
  • IdentifierUris - The URIs that identify the application.
  • Password - The password to be associated with the application.
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
Upon successful execution, the following output will be shown over the console. Note down the Application Id, as you will use it to create a service principal.
 
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
Step 3 - Create a new Azure AD Service Principal
 
To create a new Azure AD Service Principal, use the New-AzureRmADServicePrincipal cmdlets as shown below. All the parameters are optional, and if not provided, the default value will be used.
  • ApplicationId
    The unique application id for a service principal in a tenant. Once created this property cannot be changed. If an application id is not specified, one will be generated.

  • Role
    The role that the service principal has over the scope. If a value for ‘Scope’ is provided, but no value is provided for `Role`, then `Role` will default to the ‘Contributor’ role.

  • Scope
    The scope that the service principal has permissions on. If a value for ‘Role’ is provided, but no value is provided for ‘Scope’, then ‘Scope’ will default to the current subscription. 
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
Upon successful execution, the following output will be shown over the console. 
 
How To Create Service Principal (Password-Based) With PowerShell In Azure
 
In this article, we learned what service principal is, why we need it, and how to create an Azure service principal (password-based) using PowerShell. In the next article, we will see how to create a service principal (certificate-based) using PowerShell. Happy learning!!!