What is Service principle?
Service principle are non-interactive Azure accounts. Applications use Azure services should always have restricted permissions. Azure offers Service principals allow applications to login with restricted permission Instead having full privilege in non-interactive way.
Using Service Principal we can control which resources can be accessed.
For Security reason, it’s always recommended to use service principal with automated tools rather than allowing them to log in with user identity
Create a Service Principal with PowerShell.
Note: For this demo we are using Azure RM PowerShell module. Azure has introduced new PowerShell module called AZ. Create AD App
Create AD app
| #Create Service principal | |
| New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId ` | |
| –DisplayName $dummyUrl ` | |
| –Password $securePassword ` | |
| –Scope "/subscriptions/<SUBSCRIPTION ID>" ` | |
| –Role Contributor ` | |
| –StartDate ([datetime]::Now) ` | |
| –EndDate $([datetime]::now.AddYears(1)) –Verbose |
Create a Service Principal
| #Create Service principal | |
| New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId ` | |
| –DisplayName $dummyUrl ` | |
| –Password $securePassword ` | |
| –Scope "/subscriptions/<SUBSCRIPTION ID>" ` | |
| –Role Contributor ` | |
| –StartDate ([datetime]::Now) ` | |
| –EndDate $([datetime]::now.AddYears(1)) –Verbose |
This service principal is valid for one year from the created date and it has Contributor Role assigned. Further using this Service principal application can access resource under given subscription. We can scope to resources as we wish by passing resource id as a parameter for Scope.
View created AD app in Portal
1. Log in Portal
- Go to Azure Active Direcoty -> App Registrations
- We can find the created app as below
- Once we click the app we will see app details as below
We need this information when we need to login through Service principal
Login using Service Principal with Powershell
| #Login with service principal | |
| $clientId = "<CLIENT ID>" | |
| $credentials = New-Object System.Management.Automation.PSCredential ($clientId, $securePassword) | |
| Login–AzureRmAccount –ServicePrincipal –TenantId "<TENANTID>" ` | |
| –SubscriptionId "<SUBSCRIPTIONID>" ` | |
| –Credential $credentials |
Fill out the required parameters.
Once we run the script we can successfully log in to Azure using Service Principal
Full code: 🙂
| #Create AD app | |
| $dummyUrl = "https://dummy.dummy.com" | |
| $passpowrd = "Qwerty@123!" | |
| $securePassword = ConvertTo-SecureString –String $passpowrd –AsPlainText –Force | |
| $app = New-AzureRmADApplication –DisplayName $dummyUrl ` | |
| –IdentifierUris $dummyUrl ` | |
| –HomePage $dummyUrl ` | |
| –Password $securePassword –Verbose | |
| #Create Service principal | |
| New-AzureRmADServicePrincipal –ApplicationId $app.ApplicationId ` | |
| –DisplayName $dummyUrl ` | |
| –Password $securePassword ` | |
| –Scope "/subscriptions/<SUBSCRIPTION ID>" ` | |
| –Role Contributor ` | |
| –StartDate ([datetime]::Now) ` | |
| –EndDate $([datetime]::now.AddYears(1)) –Verbose | |
| #Login with service principal | |
| $clientId = "<CLIENT ID>" | |
| $credentials = New-Object System.Management.Automation.PSCredential ($clientId, $securePassword) | |
| Login–AzureRmAccount –ServicePrincipal –TenantId "<TENANTID>" ` | |
| –SubscriptionId "<SUBSCRIPTIONID>" ` | |
| –Credential $credentials |
