When an application needs to authenticate with Azure AD you can’t really just give it a username and password. To authenticate and authorize an application or service with the ability to connect to Azure services and other resources you need to create a Service Principal within Azure AD. This Service Principal will be an identity that the application or service can use to authenticate as itself for accessing resources. As with other resources and items in Microsoft Azure, the Service Principal creation and management can be automated using the Azure CLI.



Create a Service Principal in Azure AD

Creating an Azure Service Principal can be done using the az ad sp create-for-rbac command in the Azure CLI. When the Service Principal is created, you need to define the type of sign-in authentication it will use; either Password-based or certificate-based.

When attempting to create an Azure Service Principal using the az ad sp create-for-rbac command, if you do not have permissions to do so, you will get an “Insufficient privileges to complete the operation” error message.



Create Service Principal with Password-based Authentication

Here’s a sample of how to create a Service Principal with Password-based authentication:

# Create Service Principal with Password-based Auth

az ad sp create-for-rbac --name <service-principal-name>

# Be sure to replace the placeholder with the appropriate name you wish to use

Create Service Principal with Certificate-based Authentication

Here’s a sample of how to create a Service Principal with Certificate-based authentication:

# Create Service Principal with Certificate-based Auth

# Define certificate inline
az ad sp create-for-rbac --name <service-principal-name> --cert "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"

# Define certificate from file path
az ad sp create-for-rbac --name <service-principal-name> --cert @/path/cert.pem

# Be sure to replace the placeholder with the appropriate name you wish to use, and the certificate required.

When creating a Service Principal using certificate-based authentication, you must have an existing certificate to use. The certificate should be a PEM, CER, or DER file using ASCII format. You also need to make sure the Service Principal has access to the private key as well.

Create Service Principal with Self-signed Certificate

You can also, create a self-signed certificate for authentication:

# Create a self-signed certificate for the Service Principal
az ad sp create-for-rbac --name ServicePrincipalName --create-cert

Create Service Principal with Certificate in Azure Key Vault

You can even create the Service Principal so it accesses the certificate from Azure Key Vault instead of passing it in directly:

# Create Service Principal with Certificate stored in Azure Key Vault
az ad sp create-for-rbac --name ServicePrincipalName --cert CertName --keyvault VaultName

You can find some additional examples of creating Service Principal identities in Azure AD within the Azure CLI Kung Fu repository on GitHub too.

List Service Principals from Azure AD

There are times when you need to access an existing Service Principal for management purposes. The Azure CLI az ad sp list command can be used to list out all the Service Principals with Azure AD.

# List all Service Principals
az ad sp list --all
Azure CLI: Create and Manage Service Principals 1
Screenshot: Azure Cloud Shell list all Service Principals

Delete a Service Principal from Azure AD

A task that’s not performed as often as creating Service Principals, is the task of deleting or removing them. This is still a task that needs to be performed when necessary, so here’s an example command of how to delete an existing Service Principal within Azure AD:

#!/bin/bash
#################################################################################
# project: az-kung-fu
# http://www.build5nines.com/az-kung-fu
# MIT License - https://github.com/Build5Nines/az-kung-fu
# WARNING: These scripts could either cause resume generating events or get you promoted.
# Please, proceed with extreme caution!
#################################################################################
# Script Purpose
# - Delete an Azure Service Principal from Azure AD
# Script Usage
# - Update variables with spID found using az ad sp list command
##################################################################################

## Assign your Azure subscription name or id
az account set -s "[subscription_name_here]"

## Assign variables
spId=[your_sp_Id]

## Delete azure service principal (use az ad sp show to find id)
az ad sp delete --id $spId

Happy scripting!


Microsoft MVP

Chris is the Founder of Build5Nines.com and a Microsoft MVP in Azure & IoT with 20 years of experience designing and building Cloud & Enterprise systems. He is also a Microsoft Certified: Azure Solutions Architect, developer, Microsoft Certified Trainer (MCT), and Cloud Advocate. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.