Azure Service Prinicals

%3CLINGO-SUB%20id%3D%22lingo-sub-1809911%22%20slang%3D%22en-US%22%3EAzure%20Service%20Prinicals%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1809911%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20any%20body%2C%20please%20provide%20me%20brief%20about%20Service%20Principals%20in%20better%20understanding!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1810932%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Service%20Prinicals%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1810932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F814172%22%20target%3D%22_blank%22%3E%40Suresh_Godaba%3C%2FA%3E%2C%26nbsp%3Bimagine%20a%20task%20where%20you%20need%20to%20automate%20some%20process%2C%20like%20deployment%20from%20Azure%20DevOps%20to%20Azure%20Cloud%2C%20i.e.%2C%20you%20have%20to%20build%20and%20release%20your%20app%20and%20have%20enough%20'power'%20to%20deploy%20it%20to%20a%20specified%20Azure%20service.%20Definitely%2C%20you%20can%20do%20that%20with%20your%20own%20account%2C%20but%20would%20it%20be%20good%20if%20automated%20tasks%20will%20be%20executed%20under%20the%20most%20privileged%20account%20in%20your%20subscription%3F%20Your%20security%20team%20would%20argue%2C%20it%20breaks%20all%20security%20principles%20(including%20the%20'least%20privilege').%20Everything%20is%20volatile%2C%20people%20leave%20companies%2C%20and%20you%20can%20guess%20what%20happens%20when%20those%20accounts%20are%20getting%20suspended%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20option%20would%20be%20creating%20so-called%20service%20users.%20The%20problem%20is%20-%20these%20are%20still%20Active%20Directory%20users%20and%20if%20you%20have%20restrictive%20policies%20in%20the%20company%2C%20it's%20not%20an%20option.%20You%20would%20need%20to%20exclude%20them%20from%20MFA%2C%20and%20they%20suddenly%20become%20a%20good%20target.%20Security%20wouldn't%20be%20happy%20about%20those%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20where%20Service%20Principals%20(SP)%20come%20into%20play.%20It's%20a%20privileged%20account%20type%20that%20doesn't%20need%20to%20be%20excluded%20from%20MFA%20and%20has%20a%20very%20limited%20scope%20as%20well%20as%20the%20expiration%20time.%20Basically%2C%20scoping%20is%20entirely%20up%20to%20you.%20You%20can%20make%20it%20create%20a%20VM%20and%20only%20have%20access%20to%20a%20specific%20resource%20group%2C%20or%20you%20can%20widen%20the%20scope%20through%20the%20role-based%20access%20to%20the%20entire%20subscription%20-%20depends%20on%20the%20task.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20tons%20of%20ways%20you%20can%20create%20SP%20as%20well%20as%20a%20wide%20variety%20of%20different%20usage%20scenarios.%20I%20tend%20to%20think%20of%20them%20as%20special%20accounts%2C%20detached%20from%20the%20identity%2C%20and%20scoped%20just%20enough%20to%20perform%20a%20specific%20task%20(like%20automation%2C%20scripting%2C%20resource%20allocation%2C%20etc.)%2C%20and%20yet%20very%20secure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20clarifies%20things%20a%20lot%20better%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi Team,

 

Could any body, please provide me brief about Service Principals in better understanding!

1 Reply
Highlighted

@Suresh_Godaba, imagine a task where you need to automate some process, like deployment from Azure DevOps to Azure Cloud, i.e., you have to build and release your app and have enough 'power' to deploy it to a specified Azure service. Definitely, you can do that with your own account, but would it be good if automated tasks will be executed under the most privileged account in your subscription? Your security team would argue, it breaks all security principles (including the 'least privilege'). Everything is volatile, people leave companies, and you can guess what happens when those accounts are getting suspended :)

 

The other option would be creating so-called service users. The problem is - these are still Active Directory users and if you have restrictive policies in the company, it's not an option. You would need to exclude them from MFA, and they suddenly become a good target. Security wouldn't be happy about those as well.

 

This is where Service Principals (SP) come into play. It's a privileged account type that doesn't need to be excluded from MFA and has a very limited scope as well as the expiration time. Basically, scoping is entirely up to you. You can make it create a VM and only have access to a specific resource group, or you can widen the scope through the role-based access to the entire subscription - depends on the task.

 

There are tons of ways you can create SP as well as a wide variety of different usage scenarios. I tend to think of them as special accounts, detached from the identity, and scoped just enough to perform a specific task (like automation, scripting, resource allocation, etc.), and yet very secure.

 

Hope that clarifies things a lot better ;)