Service Principals in Microsoft Azure

/content/images/2016/12/azure-logo.jpg

What is a service principal?

Azure has a notion of a Service Principal which, in simple terms, is a service account. On Windows and Linux, this is equivalent to a service account. These accounts are frequently used to run a specific scheduled task, web application pool or even SQL Server service. In a cloud context, Service Principals are the new paradigm. They are great because they allow you to provision an account that only has enough permissions and scope to run a task within a predefined set of Azure resource. It is vital that you don’t use your own account to run these tasks and it all boils down to the principle of "least privilege" and accountability. Throwaways accounts such as Service Principals with locked down permissions are easier to provision, monitor and de-provision if something goes wrong. You can define as many applications and service principals as you need, whereas normal accounts are limited by your Azure Subscription quotas. The most common use of Service Principals is for running automation tasks, runbooks and Continuous Deployment. And when we talk about CI/CD then Visual Studio Team Service has a great integration with Azure AD and Service Principals for release management.

Create a service principal with PowerShell

Now that I've managed to convince you of the importance of Service Principals, we can go ahead and create one. Service Principals rely on a corresponding Azure Active Directory application. The permissions and scope are applied directly to the service principal.If you don't have Azure PowerShell, you can download the latest version from the Azure downloads page. Alternatively, if you want to avoid installing things on your machine, you can use Azure Cloud Shell to run the scripts

Open a new PowerShell window and run the following code once you change the parameters relevant to you.

Using the above script will create an App Registration and a Service Principal. You can ommit line 7 if you want as the default Role Assignment is Contributor. Information on all available roles (RBAC) can be found here.

Create a service principal with the Azure CLI

If you instead prefer to work with the Azure CLI this is how you can create a Service Principal.

You can download and install the CLI either using Node's NPM package manager or through the native installers. You can read all about the available installers on the official Azure CLI page

This will generate the following output. Make sure to capture this inofrmation as the secret/password is not available anywhere outside the command prompt

{
  "appId": "083471cd-1111-2222-aaaa-10f303f879f7",
  "displayName": "test2",
  "name": "http://test2",
  "password": "nAoUiQZv~OUH00000000000~1OR_20Oe",
  "tenant": "e801a3ad-0000-aaaa-1111-1d77cb360b07"
}

The default RBAC role assigned to the Service Principal is Contributor. Although this is great because it's easy to work with, it's also dangerous and against what we're really trying to achieve: per task/application permissions to a subset of resources. You can easily change the Service Principal roles by adding and removing the necessary roles (ideally custom ones) with the following commands:

az role assignment create --assignee <your Service Principal ID> --role <YourCustomRole>
az role assignment delete --assignee <your Service Principal ID> --role Contributor

az role assignment list --assignee <your Service Principal ID>

I hope this proved how easy it is to programmatically create a Service Principal to use in your applications, tasks and CLI commands.


  • Share this post on