Hello, guys. Today I want to show you how to create a service principal using PowerShell and Azure CLI. In case you don’t know, an Azure service identity is an identity that is created in Azure AD and associated with an application. The Azure service principal allows us Azure AD applications to interact with Azure resources as a user principal. This can be useful when you have resources or applications that need to manage other resources in Azure. Using role-based access control (RBAC) allows you to grant them access to Azure resources in subscription, resource group, or resource scope.

Important: For security reasons, Microsoft recommends using service principal with automated tools rather than allowing them to log in with a user identity.

Prerequisites

  • You must have permissions to be able to create an application in Azure AD and assign the service principal to a role.

Azure PowerShell Workaround

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you are ready to start.

Set the variables

Here, we define the characteristics of our environment and the resource’s properties. Replace <Password> with the password you want to assign to the service principal.

Create an Azure Service Principal

To create a service principal with a password, you should use the New-AzAdServicePrincipal cmdlet with the following syntax.

New-AzAdServicePrincipal
We store the result of New-AzAdServicePrincipal in a variable named $servicePrincipal. We will use the return values of Creating a service principal to assign it a role in Azure in the next step.

Assign a Role to the Service Principal

Once the service principal is created, you should assign the role and its scope. To do this, you should use the New-AzRoleAssignment with the following syntax. In the first example, we created the service principal with the Contributor role at the subscription level.

In this second example, we assign the service principal the role of the reader at the resource group level.

Verify access using Azure Service Principal identity

To log in with a service principal, you need the applicationId as the username and the password value associated with the service principal.

To connect to Azure using the credentials of the service principal, you should use the Connect-AzAccount cmdlet with the following syntax.

Connect-AzAccount

Delete a Service Principal

if you want to remove the service principal, you should use the Remove-AzADApplication cmdlet with the following syntax.

Azure CLI Workaround

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.

First, we define the characteristics of our environment and store the values in variables.

Create an Azure Service Principal

In Azure CLI, the process of creating a Service principal is something different. Using a single command, we create and assign the role and scope of the service and as a result of the creation, we receive the information of the service, including a self-generated password.

Using the following command, we create the service principal with the contributor role at the subscription level.

In this second example, we assign the service principal the role of reader at the resource group level.

Azure service principal

Verify access using Azure Service Principal identity

To log in with a service principal, you need the applicationId as the username and the password value associated with the service principal. Replace <Password> with the password obtained when the service principal was created.

To connect to Azure using the credentials of the service principal, you should use the following command.

Az login

Delete a Service Principal

If you want to remove the service principal, you should use the following command.

Thanks for reading my post. I hope you find it useful.

If you want to know more about Azure service principal objects in Azure Active Directory, check out this link:https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals