Skip to content

Adding a Service Principal

Jump to bottom Edit New page
Daniel Berger edited this page Sep 26, 2018 · 23 revisions

Adding a Service Principal in Azure

Note that the information below assumes that you have the proper permissions to complete the various tasks that are laid out here.

Using the command line

Be sure your account is associated with the correct subscription first:

az account set -s xxx

Then run this command for subscription wide access:

az ad sp create-for-rbac -n some_name --role contributor --years 2

Or pinned to a specific resource group:

az ad sp create-for-rbac \
  --name some_name \
  --role contributor \
  --scopes /subscriptions/xxx/resourceGroups/some_group \
  --years 2

You can specify multiple resource groups, change the role, time limit, etc, if desired.

Using just the New Portal

  • Login to portal.azure.com and select the "Azure Active Directory" resource. Then click "App Registrations", and then click the "Add" (or "New Application Registration") button at the top.

  • Fill out the form and give it a name and sign-on URL.

    • These are largely irrelevant for dev purposes where you're just looking for a set of credentials. Our convention has been to name them "[app] [username] Dev", with a URI http://[app]-[username]-dev for both the sign-on url and app-id URI.

  • Select the application you just created (go back to App Registrations if necessary). Note the "Application ID". This is your client ID.

  • Once you're viewing the registered app, click the "Settings" tab at the top. Click the "Keys" option. Give it a name (any name will do), select a duration, and click save.

    • Be sure to copy and paste the key somewhere. You will not see it again once you leave that screen.

  • Back in "Settings", click the "Required Permissions" tab, then "Add", then "Windows Service Management API". Press the "Select" button at the bottom, and check the "Delegated Permissions" checkbox and hit "Select" again, then "Done".

  • Select the "subscriptions" resource and then select the appropriate subscription.

    • Alternatively, select a specific resource group name if you don't want subscription-wide access.

  • Select the "access" tab (right side, looks like a people icon), or the "Access Control" option. You should then see a list of users.

  • Click the "add" button.

    • Add a role. Typically the "contributor" role is what we select, but YMMV.
    • Add the user you created in Part 1 above. The username is the same as the "name" that you selected in part 1. In practice, you may need to use the filter here to find it easily.

You are done.

Using the Portals (old way)

Part 1 - The Classic Portal

Here we'll create a service principal that will generate the credentials you need for headless authentication. You will need admin privileges to perform these steps. If you don't have the proper privileges, find someone who does.

  • Go to the classic portal at http://manage.windowsazure.com. Select the appropriate account type, which is probably a "personal" account if it resembles your home or work email address.

  • On the left side, scroll down a bit and select "Active Directory".

  • Click on the default directory.

    • If you see more than one, mouse over each one, and you'll see a popup at the bottom. The value on the right side of the popup will show the tenant ID. Pick the appropriate one.

  • Select the "Applications" tab

  • Click the "Add" tab at the bottom

  • Select "Add an application my organization is developing"

  • Give it a name, sign-on url and app-id URI.

    • These are largely irrelevant for dev purposes where you're just looking for a set of credentials. Our convention has been to name them "[app] [username] Dev", with a URI http://[app]-[username]-dev for both the sign-on url and app-id URI.
    • Remember the name you choose. You will need it in part 2 below.

  • After creation, select the "configure" tab, and scroll down.

    • Note your client ID. Copy and paste that somewhere.
    • Where it says "keys" select 1 year or 2 years (your choice), but don't save anything yet.
    • At the bottom where it says "permissions to other applications" click "add application", and select "Windows Azure Service Management". Once added, click the "delegated permissions" drop down and select "Access Azure Service Management as Organization".

  • Click save, and scroll up to the "keys" section again. MAKE NOTE OF YOUR CLIENT KEY AT THIS POINT. Copy and paste that somewhere, as well as your client ID.

    • If you forget it or lose it, no worries. You'll just need to come back here and generate a new one. You will not be able to recover your old one, however.

Part 2: The New Portal

With your service principal created and credentials established, you'll then need to give it access to V2 resources.

  • Log into the new portal at http://portal.azure.com

  • Select the "subscriptions" resource and then select the appropriate subscription.

    • Alternatively, select a specific resource group name if you don't want subscription-wide access.

  • Select the "access" tab (right side, looks like a people icon). You should see a list of users.

  • Click the "add" button.

    • Add a role. Typically the "contributor" role is what we select, but YMMV.
    • Add the user you created in Part 1 above. The username is the same as the "name" that you selected in part 1. In practice, you may need to use the filter here to find it easily.

Powershell

  1. Login-AzureRmAccount
  • Then sign in with your browser
  1. $azureApp = New-AzureRmADApplication
    -DisplayName "ORG USERID DEV"
    -HomePage "https://org-userid-dev"
    -IdentifierUris "https://org-userid-dev"
    -Password "xxxxx" # optional
  2. New-AzureRmADServicePrincipal -ApplicationId $azureApp.ApplicationId
  3. New-AzureRmRoleAssignment
    -RoleDefinitionName Contributor
    -ServicePrincipalName $azureApp.applicationId

Then to get the credential information you need:

$pri = Get-AzureRmADServicePrincipal -ServicePrincipalName "https://org-userid-dev"
$sub = Get-AzureRmSubscription -SubscriptionId xxx-yyy

$sub.SubscriptionId # Subscription ID
$sub.TenantId # Tenant ID
$pri.ApplicationId # Client ID

TODO: How to get client key

Troubleshooting

If you've setup the service principal, but az login gives you an error with "Application with identifier 'http://your_app' was not found in the directory", then you will need to edit the manifest for the application.

Find the application in the active directory, then click "Manifest" and look for a property called identifierUris. If you don't see http://your_app, then add it there and make sure it's the first entry (if there's something else there already). Then save it.

I do not know how this happens sometimes, but the fix is relatively painless.

References

http://www.videoqe.com/videogallery/configure-azure-active-directory-application/

https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/

https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/

https://sabin.io/blog/adding-an-azure-active-directory-application-and-key-using-powershell/

Add a custom footer
Add a custom sidebar
Clone this wiki locally