Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1086961%22%20slang%3D%22en-US%22%3EWorking%20with%20Azure%20Service%20Principal%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086961%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20worked%20with%20on-prem%20IT%20infrastructure%20I%20was%20always%20keen%20to%20automate%20parts%20as%20much%20as%20possible%2C%20whether%20that%20was%20setting%20up%20a%20scheduled%20task%20to%20stop%20and%20start%20services%20on%20temperamental%20servers%20or%20automating%20the%20patching%20of%20the%20servers.%26nbsp%3B%20One%20thing%20that%20was%20often%20essential%20to%20these%20automation%20tasks%20was%20a%20service%20account.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20service%20account%20was%20a%20bit%20like%20a%20user%20account%20with%20a%20username%20and%20password%2C%20and%20it%20often%20had%20access%20to%20local%20and%20network%20resources%20to%20perform%20these%20automation%20tasks.%26nbsp%3B%20Using%20service%20accounts%20allowed%20us%20to%20avoid%20embedding%20our%20own%20network%20usernames%20and%20password%20into%20these%20automation%20tasks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20Azure%20when%20we%20want%20to%20automate%20tasks%20we%20have%20to%20use%20something%20similar%2C%20and%20it%E2%80%99s%20called%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevelop%2Fapp-objects-and-service-principals%3FWT.mc_id%3Dblog-itopstalk-salean%23service-principal-object%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EService%20Principal%3C%2FA%3E.%26nbsp%3B%20The%20Service%20Principal%20allows%20us%20to%20give%20applications%2Fservices%2Ftasks%20access%20to%20the%20environment%20to%20perform%20tasks%20on%20our%20behalf.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20create%20automation%20service%20accounts%20or%20Service%20Principals%20you%20should%20really%20think%20about%20what%20rights%20you%20give%20them.%20%26nbsp%3B%26nbsp%3BThey%20shouldn%E2%80%99t%20have%20more%20permissions%20than%20they%20need.%20Only%20those%20that%20%3CSTRONG%3Ereally%20%3C%2FSTRONG%3Eneed%20full%20administrator%20rights%20should%20have%20them!%20%3B)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECreate%20a%20Service%20Principal%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECreating%20a%20Service%20Principal%20can%20be%20done%20in%20a%20number%20of%20ways%2C%20through%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Ffeatures%2Fazure-portal%2F%3FWT.mc_id%3Ditopstalk-blog-salean%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eportal%3C%2FA%3E%2C%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fpowershell%2F%3FWT.mc_id%3Ditopstalk-blog-salean%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPowerShell%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fcli%2Fazure%2Fget-started-with-azure-cli%3Fview%3Dazure-cli-latest%26amp%3BWT.mc_id%3Ditopstalk-blog-salean%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20CLI%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20a%20small%20script%20that%20creates%20my%20Service%20Principal%20and%20it%20generates%20a%20random%20password%20to%20go%20with%20the%20Service%20Principal%20so%20that%20I%20have%20it%20for%20those%20password-based%20authentication%20occasions.%20%26nbsp%3B%26nbsp%3BWhen%20you%20create%20a%20Service%20Principal%20via%20PowerShell%20you%20do%20not%20get%20a%20copy%20of%20the%20password%20displayed%2C%20so%20you%20need%20to%20input%20a%20couple%20of%20lines%20of%20code%20to%20retrieve%20the%20password%2C%20as%20you%20can%20see%20in%20the%20code%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%23%20Create%20the%20Service%20Principal%2C%20generates%20a%20random%20password%0A%24sp%20%3D%20New-AzADServicePrincipal%20-DisplayName%20ServicePrincipalName%0A%0A%23%20Export%20the%20random%20password%20that%20was%20generated%20on%20creation%0A%24BSTR%20%3D%20%5BSystem.Runtime.InteropServices.Marshal%5D%3A%3ASecureStringToBSTR(%24sp.Secret)%0A%24UnsecureSecret%20%3D%20%5BSystem.Runtime.InteropServices.Marshal%5D%3A%3APtrToStringAuto(%24BSTR)%0A%24UnsecureSecret%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20CLI%20command%20to%20create%20a%20Service%20Principal%20is%20shorted%20and%20on%20creation%20the%20randomly%20generated%20password%20is%20displayed%20on%20screen.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eaz%20ad%20sp%20create-for-rbac%20--name%20ServicePrincipalDisplayName%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGrant%20your%20Service%20Principal%20Rights%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20when%20you%20a%20create%20a%20Service%20Principal%20via%20Azure%20CLI%20or%20PowerShell%20it%20grants%20it%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Frole-based-access-control%2Fbuilt-in-roles%3FWT.mc_id%3Ditopstalk-blog-salean%23contributor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EContributor%3C%2FA%3E%20access%20to%20your%20Azure%20subscription.%26nbsp%3B%20As%20I%20mentioned%20at%20the%20start%20of%20this%20post%20that%20isn%E2%80%99t%20great%20best%20practice.%20%26nbsp%3BSo%2C%20this%20is%20something%20to%20be%20aware%20of%2C%20when%20using%20Azure%20CLI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20recommendation%20would%20be%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Frole-based-access-control%2Frole-assignments-portal%3FWT.mc_id%3Ditopstalk-blog-salean%23remove-a-role-assignment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eremove%20the%20contributor%20role%20assignment%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Frole-based-access-control%2Frole-assignments-portal%3FWT.mc_id%3Ditopstalk-blog-salean%23add-a-role-assignment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eadd%20the%20correct%20level%3C%2FA%3E.%20%26nbsp%3BWhere%20possible%20I%20try%20and%20restrict%20rights%20to%20resource%20group%20level%20and%20not%20directly%20at%20the%20subscription%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOf%20course%2C%20there%20are%20times%20when%20you%20need%20to%20grant%20Contributor%20level%20to%20your%20Service%20Principals%20at%20the%20subscription%20level%20for%20certain%20tasks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESign%20in%20with%20a%20Service%20Principal%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20that%20you%20have%20your%20Service%20Principal%20and%20permissions%20assigned%2C%20how%20do%20you%20use%20them%3F%20Signing%20into%20via%20PowerShell%20or%20Azure%20CLI%20can%20be%20quite%20quickly%20achieved.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20log%20in%20via%20Azure%20CLI%2C%20it%E2%80%99s%20a%20one%20line%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eaz%20login%20--service-principal%20--username%20APP_ID%20--password%20PASSWORD%20--tenant%20TENANT_ID%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20username%20is%20the%20%3CEM%3EApplication%20ID%3C%2FEM%3E%2C%20this%20would%20have%20been%20listed%20when%20you%20created%20the%20Service%20Principal%2C%20if%20you%20didn%E2%80%99t%20take%20a%20note%20of%20it%20you%20can%20find%20this%20within%20the%20Azure%20Portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20password%20would%20have%20also%20been%20listed%20when%20you%20created%20the%20Service%20Principal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20tenant%20ID%20would%20also%20have%20been%20listed%2C%20if%20you%20don%E2%80%99t%20have%20a%20note%20of%20it%20you%20can%20run%20the%20command%20to%20get%20a%20note%20of%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eazure%20account%20show%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20log%20in%20via%20PowerShell%20it%20is%20slightly%20more%20complex%20and%20requires%20a%20bit%20more%20code.%26nbsp%3B%20The%20first%20command%20to%20issue%20is%20one%20that%20gathers%20the%20password%20for%20the%20Service%20Principal%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%24passwd%20%3D%20ConvertTo-SecureString%20%E2%80%9CSECURE%20PASSWORD%E2%80%9D%20-AsPlainText%20-Force%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20next%20command%20takes%20the%20Service%20Principal%20ID%20and%20password%20and%20combines%20them%20into%20one%20variable%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%24pscredential%20%3D%20New-Object%20System.Management.Automation.PSCredential('SERVICE%20PRINCIPAL%20NAME%20or%20ID'%2C%20%24passwd)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20last%20command%20takes%20the%20inputted%20information%20and%20logs%20you%20in%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EConnect-AzAccount%20-ServicePrincipal%20-Credential%20%24pscredential%20-Tenant%20TENANT_ID%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThings%20to%20remember%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20that%20you%20use%20good%20password%20storage%20practices%20when%20automating%20service%20principal%20connections.%26nbsp%3B%20I%E2%80%99ve%20shown%20you%20code%20that%20displays%20the%20passwords%20in%20plain%20text%2C%20which%20isn%E2%80%99t%20best%20practice%20but%20gives%20you%20an%20idea%20of%20how%20to%20use%20the%20commands%20and%20Service%20Principal%20concept.%20%26nbsp%3BSomething%20like%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fservices%2Fkey-vault%2F%3FWT.mc_id%3Ditopstalk-blog-salean%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%20Service%3C%2FA%3E%20could%20be%20used%20to%20help%20store%20the%20password%20in%20a%20more%20secure%20manner%20that%20can%20be%20called%20into%20scripts%20without%20anyone%20ever%20having%20to%20see%20the%20password.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20security%20purposes%2C%20Service%20Principal%20passwords%20are%20created%20with%20a%20default%20lifespan%20of%20a%20year%2C%20so%20don%E2%80%99t%20forget%20to%20make%20a%20note%20in%20your%20diary%20to%20renew%20the%20credentials%20or%20you%20may%20hit%20errors!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1086961%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20working%20within%20Azure%20you%20want%20to%20take%20advantage%20of%20automating%20the%20tasks%20you%20can%2C%20in%20order%20to%20do%20that%20you%20need%20to%20have%20a%20method%20of%20authenticating%20to%20your%20Azure%20subscription.%20In%20this%20article%20I%20take%20you%20through%20the%20concept%20of%20Service%20Principals%20and%20the%20basics%20of%20creating%20them%20and%20using%20them.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20842px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F163644iA24475CC2126F9B3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22spn.jpg%22%20title%3D%22spn.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20Service%20Principal%20Graphic%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1086961%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESarah%20Lean%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1100244%22%20slang%3D%22en-US%22%3ERe%3A%20Working%20with%20Azure%20Service%20Principal%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1100244%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20also%20recommend%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EManaged%20Identities%3C%2FA%3E%20whenever%20possible%20-%20if%20the%20automation%20workers%20run%20in%20Azure%2C%20then%20it's%20much%20better%20to%20use%20Managed%20Identities%2C%20as%20no%20one%20has%20to%20deal%20with%20secrets%20anymore.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

When I worked with on-prem IT infrastructure I was always keen to automate parts as much as possible, whether that was setting up a scheduled task to stop and start services on temperamental servers or automating the patching of the servers.  One thing that was often essential to these automation tasks was a service account.  

 

The service account was a bit like a user account with a username and password, and it often had access to local and network resources to perform these automation tasks.  Using service accounts allowed us to avoid embedding our own network usernames and password into these automation tasks.

 

Within Azure when we want to automate tasks we have to use something similar, and it’s called a Service Principal.  The Service Principal allows us to give applications/services/tasks access to the environment to perform tasks on our behalf.  

 

When you create automation service accounts or Service Principals you should really think about what rights you give them.   They shouldn’t have more permissions than they need. Only those that really need full administrator rights should have them! ;)

 

 

Create a Service Principal

 

Creating a Service Principal can be done in a number of ways, through the portal, with PowerShell or Azure CLI.

 

I have a small script that creates my Service Principal and it generates a random password to go with the Service Principal so that I have it for those password-based authentication occasions.   When you create a Service Principal via PowerShell you do not get a copy of the password displayed, so you need to input a couple of lines of code to retrieve the password, as you can see in the code below.

 

 

# Create the Service Principal, generates a random password
$sp = New-AzADServicePrincipal -DisplayName ServicePrincipalName

# Export the random password that was generated on creation
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret

 

 

The Azure CLI command to create a Service Principal is shorted and on creation the randomly generated password is displayed on screen.

 

 

az ad sp create-for-rbac --name ServicePrincipalDisplayName

 

 

Grant your Service Principal Rights

 

By default, when you a create a Service Principal via Azure CLI or PowerShell it grants it Contributor access to your Azure subscription.  As I mentioned at the start of this post that isn’t great best practice.  So, this is something to be aware of, when using Azure CLI.

 

My recommendation would be to remove the contributor role assignment and add the correct level.  Where possible I try and restrict rights to resource group level and not directly at the subscription level.

 

Of course, there are times when you need to grant Contributor level to your Service Principals at the subscription level for certain tasks.

 

Sign in with a Service Principal

 

Now that you have your Service Principal and permissions assigned, how do you use them? Signing into via PowerShell or Azure CLI can be quite quickly achieved.

 

To log in via Azure CLI, it’s a one line command:

 

 

az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID

 

 

The username is the Application ID, this would have been listed when you created the Service Principal, if you didn’t take a note of it you can find this within the Azure Portal.

 

The password would have also been listed when you created the Service Principal.

 

The tenant ID would also have been listed, if you don’t have a note of it you can run the command to get a note of it.

 

 

azure account show

 

 

To log in via PowerShell it is slightly more complex and requires a bit more code.  The first command to issue is one that gathers the password for the Service Principal:

 

 

$passwd = ConvertTo-SecureString “SECURE PASSWORD” -AsPlainText -Force

 

 

The next command takes the Service Principal ID and password and combines them into one variable:

 

 

$pscredential = New-Object System.Management.Automation.PSCredential('SERVICE PRINCIPAL NAME or ID', $passwd)

 

 

The last command takes the inputted information and logs you in:

 

 

Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant TENANT_ID

 

 

Things to remember

 

Make sure that you use good password storage practices when automating service principal connections.  I’ve shown you code that displays the passwords in plain text, which isn’t best practice but gives you an idea of how to use the commands and Service Principal concept.  Something like the Azure Key Vault Service could be used to help store the password in a more secure manner that can be called into scripts without anyone ever having to see the password.

 

For security purposes, Service Principal passwords are created with a default lifespan of a year, so don’t forget to make a note in your diary to renew the credentials or you may hit errors!

1 Comment
Microsoft

I would also recommend using Managed Identities whenever possible - if the automation workers run in Azure, then it's much better to use Managed Identities, as no one has to deal with secrets anymore.