Create Azure Service Principal
Creating a Service Principal in Azure and retrieving its Client ID and Secret involves several steps. Below is a detailed, step-by-step guide:
Step 1: Log in to Azure
1. Open the Azure Portal (https://portal.azure.com).
2. Log in with your Azure credentials.
Step 2: Navigate to Azure Active Directory
1. In the left-hand navigation pane, select Azure Active Directory.
2. Under the Manage section, click App registrations.
Step 3: Register a New Application
1. Click New registration at the top of the page.
2. Fill in the required fields:
• Name: Enter a descriptive name for the Service Principal (e.g., “MyServicePrincipal”).
• Supported account types: Choose who can access this application. Typically, select Accounts in this organizational directory only.
• Redirect URI: Leave this blank for Service Principal creation unless required by your application.
3. Click Register.
Step 4: Retrieve the Application (Client) ID
1. Once the registration is complete, you will be redirected to the application’s overview page.
2. Note down the Application (client) ID and Directory (tenant) ID. You will need them later.
Step 5: Create a Client Secret
1. In the application’s Manage section, select Certificates & secrets.
2. Under the Client secrets tab, click New client secret.
3. Provide a description (e.g., “DefaultSecret”) and choose an expiration duration (e.g., 1 year, 2 years, or custom).
4. Click Add.
5. Copy the generated value of the secret. This is the Client Secret.
Note: You will not be able to view this secret again once you leave the page, so save it securely.
Step 6: Create a Custom Role
1. Navigate to Azure Active Directory in the portal.
2. In the left-hand menu, click Roles and administrators > + New custom role.
Step 7: Define Role Details
1. Basics Tab:
• Name: Enter a name like “Virtual Machine Manager Role.”
• Description: Provide a brief description, e.g., “Allows listing, getting, starting, and stopping Virtual Machines.”
2. Permissions Tab:
• Click + Add permissions.
• Search for Microsoft.Compute/virtualMachines.
• Select the following actions:
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/deallocate/action
• Click Add.
3. Assignable Scopes Tab:
Navigate to the Resource Group:
• Specify the scope where this role can be assigned:
• Subscription: Assign it at the subscription level if you want it to apply to all resource groups and VMs.
• Resource Group: Assign it at the resource group level for more granular control. (Here is the most important part, as we have to specify the Resource Groups for this Credential. It is a Best Practice to create Service Principals and roles for 1 to 2-3 Resource Groups, to limit the overgevernance.
• Click + Add Assignable Scope and select the relevant scope.
4. Review and finalize the role:
• Click Review + create.
• Click Create.
Step 8: Assign the Role to the Service Principal
1. Navigate to the resource you want the Service Principal to access (e.g., a subscription, resource group, or specific resource).
2. Go to the Access control (IAM) section of the resource.
3. Click Add role assignment.
4. In the Role field, select the Custom Role created in the Step 7
5. In the Assign access to field, select User, group, or Service Principal.
6. Search for the name of the Service Principal (the application name you created).
7. Select it, and click Save.
Last updated