How To Create A Service Principal In Azure
Hello, guys. Today I want to evidence you how to create a service principal using PowerShell and Azure CLI. In case you lot don't know, an Azure service identity is an identity that is created in Azure AD and associated with an application. The Azure service principal allows u.s.a. Azure AD applications to interact with Azure resources as a user principal. This can exist useful when you have resource or applications that demand to manage other resources in Azure. Using role-based admission control (RBAC) allows you to grant them admission to Azure resources in subscription, resource group, or resource telescopic.
Important: For security reasons, Microsoft recommends using service main with automated tools rather than assuasive them to log in with a user identity.
Prerequisites
- Y'all must have permissions to be able to create an application in Azure AD and assign the service principal to a role.
Azure PowerShell Workaround
If you want to know how to install the PowerShell Azure module on your machine, cheque out this link.
The simplest style to get started is to sign in interactively at the command line.
This cmdlet will bring up a dialog box prompting you for your email address and countersign associated with your Azure business relationship.
If you take more than i subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
| Get-AzSubscription Select -AzSubscription -Subscription "My Subscription" |
In one case you gear up your default subscription, you are ready to start.
Set up the variables
Here, we ascertain the characteristics of our environment and the resource's backdrop. Supersede <Password> with the countersign you want to assign to the service principal.
| $resourceGroupName = "RG-DEMO-WE" $spName = "SP-DEMO-We" $spPassword = "<Password>" $credentials = New-Object Microsoft . Azure . Commands . ActiveDirectory . PSADPasswordCredential ` -Property @ { StartDate = Become-Date ; EndDate = Get-Date -Year 2022; Password = $spPassword } ; $spConfig = @ { DisplayName = $spName PasswordCredential = $credentials } |
Create an Azure Service Principal
To create a service main with a password, you should employ the New-AzAdServicePrincipal cmdlet with the following syntax.
| $ servicePrincipal = New - AzAdServicePrincipal @ spConfig |
Nosotros store the result of New-AzAdServicePrincipal in a variable named $servicePrincipal. We will use the return values of Creating a service main to assign information technology a role in Azure in the adjacent pace.
Assign a Function to the Service Principal
Once the service master is created, you should assign the role and its scope. To do this, you should apply the New-AzRoleAssignment with the following syntax. In the first example, we created the service principal with the Contributor role at the subscription level.
| $ subscriptionId = ( Get - AzContext ) . Subscription . Id $ spRoleAssignment = @ { ObjectId = $ servicePrincipal . id ; RoleDefinitionName = 'Correspondent' ; Telescopic = "/subscriptions/$subId" } New - AzRoleAssignment @ spRoleAssignment |
In this second instance, nosotros assign the service principal the role of the reader at the resource group level.
| $ subscriptionId = ( Become - AzContext ) . Subscription . Id $ spRoleAssignment = @ { ObjectId = $ servicePrincipal . id ; RoleDefinitionName = 'Reader' ; Scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName" } New - AzRoleAssignment @ SpRoleAssignment |
Verify access using Azure Service Principal identity
To log in with a service principal, you need the applicationId as the username and the password value associated with the service principal.
| $ servicePrincipal . ApplicationId $ credentials = Get - Credential $ tenantId = ( Become - AzContext ) . Tenant . Id |
To connect to Azure using the credentials of the service principal, you should utilise the Connect-AzAccount cmdlet with the following syntax.
| Connect - AzAccount - ServicePrincipal - Credential $ credentials - Tenant $ tenantId |
Delete a Service Principal
if you lot want to remove the service main, you should utilise the Remove-AzADApplication cmdlet with the following syntax.
| $ servicePrincipal = Go - AzADServicePrincipal - DisplayName $ spName Remove - AzADApplication - ApplicationId $ servicePrincipal . ApplicationId |
Azure CLI Workaround
In this example, we will use Azure Cloud Vanquish, a browser-based trounce built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If yous want to know more about Azure Cloud Beat out, check out this link.
First, nosotros define the characteristics of our environment and store the values in variables.
| subscriptionId = $ ( az account show -- query id - o tsv ) resourceGroupName = "RG-DEMO-WE" spName = "SP-DEMO-We" |
Create an Azure Service Principal
In Azure CLI, the procedure of creating a Service chief is something different. Using a single control, we create and assign the office and scope of the service and as a result of the creation, we receive the information of the service, including a self-generated password.
Using the following command, we create the service principal with the contributor office at the subscription level.
| az advertizing sp create - for - rbac -- name $ spName \ -- role contributor \ -- scopes / subscriptions / $ subscriptionId |
In this second example, we assign the service principal the role of reader at the resource group level.
| az ad sp create - for - rbac -- name $ spName \ -- function reader \ -- scopes / subscriptions / $ subscriptionId / resourceGroups / $ resourceGroupName |
Verify access using Azure Service Principal identity
To log in with a service primary, you demand the applicationId equally the username and the password value associated with the service primary. Supervene upon <Password> with the password obtained when the service principal was created.
| spName = "SP-DEMO-WE" spPassword = "<Password>" spAppId = $ ( az ad sp list -- brandish - name $ spName -- query "[].appId" - o tsv ) tenantId = $ ( az account testify -- query tenantId - o tsv ) |
To connect to Azure using the credentials of the service principal, y'all should use the following command.
| az login -- service - chief - u $ spAppId \ -- password $ spPassword -- tenant $ tenantId |
Delete a Service Chief
If yous want to remove the service principal, you should use the following command.
| az advertisement sp delete -- id $ spAppId |
Thanks for reading my post. I hope you find it useful.
If you want to know more than nigh Azure service principal objects in Azure Agile Directory, check out this link:https://docs.microsoft.com/en-united states of america/azure/agile-directory/develop/app-objects-and-service-principals
Was this article useful? Support my work!
How To Create A Service Principal In Azure,
Source: https://www.jorgebernhardt.com/azure-service-principal-password/
Posted by: murrayhisclowed.blogspot.com
0 Response to "How To Create A Service Principal In Azure"
Post a Comment