When an application needs to authenticate with Azure AD you can’t really just give it a username and password. To authenticate and authorize an application or service with the ability to connect to Azure services and other resources you need to create a Service Principal within Azure AD. This Service Principal will be an identity that the application or service can use to authenticate as itself for accessing resources. As with other resources and items in Microsoft Azure, the Service Principal creation and management can be automated using the Azure CLI.
Create a Service Principal in Azure AD
Creating an Azure Service Principal can be done using the az ad sp create-for-rbac command in the Azure CLI. When the Service Principal is created, you need to define the type of sign-in authentication it will use; either Password-based or certificate-based.
When attempting to create an Azure Service Principal using the
az ad sp create-for-rbaccommand, if you do not have permissions to do so, you will get an “Insufficient privileges to complete the operation” error message.
Create Service Principal with Password-based Authentication
Here’s a sample of how to create a Service Principal with Password-based authentication:
# Create Service Principal with Password-based Auth az ad sp create-for-rbac --name <service-principal-name> # Be sure to replace the placeholder with the appropriate name you wish to use
Create Service Principal with Certificate-based Authentication
Here’s a sample of how to create a Service Principal with Certificate-based authentication:
# Create Service Principal with Certificate-based Auth # Define certificate inline az ad sp create-for-rbac --name <service-principal-name> --cert "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----" # Define certificate from file path az ad sp create-for-rbac --name <service-principal-name> --cert @/path/cert.pem # Be sure to replace the placeholder with the appropriate name you wish to use, and the certificate required.
When creating a Service Principal using certificate-based authentication, you must have an existing certificate to use. The certificate should be a PEM, CER, or DER file using ASCII format. You also need to make sure the Service Principal has access to the private key as well.
Create Service Principal with Self-signed Certificate
You can also, create a self-signed certificate for authentication:
# Create a self-signed certificate for the Service Principal az ad sp create-for-rbac --name ServicePrincipalName --create-cert
Create Service Principal with Certificate in Azure Key Vault
You can even create the Service Principal so it accesses the certificate from Azure Key Vault instead of passing it in directly:
# Create Service Principal with Certificate stored in Azure Key Vault az ad sp create-for-rbac --name ServicePrincipalName --cert CertName --keyvault VaultName
You can find some additional examples of creating Service Principal identities in Azure AD within the Azure CLI Kung Fu repository on GitHub too.
List Service Principals from Azure AD
There are times when you need to access an existing Service Principal for management purposes. The Azure CLI az ad sp list command can be used to list out all the Service Principals with Azure AD.
# List all Service Principals az ad sp list --all
Delete a Service Principal from Azure AD
A task that’s not performed as often as creating Service Principals, is the task of deleting or removing them. This is still a task that needs to be performed when necessary, so here’s an example command of how to delete an existing Service Principal within Azure AD:
#!/bin/bash ################################################################################# # project: az-kung-fu # http://www.build5nines.com/az-kung-fu # MIT License - https://github.com/Build5Nines/az-kung-fu # WARNING: These scripts could either cause resume generating events or get you promoted. # Please, proceed with extreme caution! ################################################################################# # Script Purpose # - Delete an Azure Service Principal from Azure AD # Script Usage # - Update variables with spID found using az ad sp list command ################################################################################## ## Assign your Azure subscription name or id az account set -s "[subscription_name_here]" ## Assign variables spId=[your_sp_Id] ## Delete azure service principal (use az ad sp show to find id) az ad sp delete --id $spId
Happy scripting!
About the Author
Chris Pietschmann
Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
Terraform: If/Else Conditional Resource and Module Deployment
Azure Functions: Extend Execution Timeout Past 5 Minutes
IPv4 Address CIDR Range Reference and Calculator
Terraform: Import Existing Azure Resource Group
Terraform: Use for_each to deploy multiple resources
