Create Service Principal in Azure

In: Azure

Requirement

Let’s say you have applications and wanted to access or modify the resource. In such scenarios, we can create an identity for the app and use this identity. This identity is known as Service Principal.

Now, how to know when you really need this. Suppose, you are working with other teams and you want to access there any of the Azure resources (take an example of ADLS Gen2 data lake). You cannot request on your own id as this resource might use by any of the jobs. In this case, you can create a Service Principal aka SPN, and request to provide access on the created SPN.

Solution

Step 1: Create an Azure Active Directory

By default, you will able to see an Active Directory named Default Directory (Default). We will use this default AAD for this exercise.

Step 2: Register a new App

Go to the Azure Active Directory, and click on the New registration under the App registrations from the left panel.

Once you click on the register, it will create an App.

The Service Principal is ready. You can share the Application (client) ID to provide access to the resource.

Step 3: Create Secret for SPN

In this step, we will create the secret for SPN. This secret will get used while accessing the resource.

Go to the app, and click on the Certificate & secret from the left panel. It will ask you for the name of the secret and expiry duration. After giving the input, click on Add.

Home > Default Directory > access-app access-app I Certificates & secrets Got feedback? Overview Quickstart Integration assistant Manage Branding Authentication Certificates & secrets Token configuration Add a client secret Description Expires @ In 1 year O In 2 years O Never Add Cancel

Now, you can access any resource by giving access to your SPN with this created client secret.

Optional: Assign Role to App

Go to the subscription and select the subscription under which you want to provide the role. Here, in our case, we have only 1 subscription.

Navigate to Access control (AIM) from the left pane and click on + Add and choose to Add role assignment.

Choose Contributor access under Role, select Service Principal under Assign access to, and Select created App (access-app in our case).

Once you save this, a new assignment role will be created.

Wrapping Up

In this post, we have created a Service Principal (SPN) in a default AAD which we will use to access any of the resources. We have also created the client secret for the app. You can also store this created client secret in any Key Vault.

Sharing is caring!

Subscribe to our newsletter

Leave a Reply