Azure Service Principals: How to Create (and Understand) Them
When you need to automate tasks in Azure with scripts and tools, would you consider using service accounts or Azure service principals? It is not uncommon for some to just create a new service account, slap it with all the admin roles you want, and exclude it from MFA.
I know what you’re thinking — “that is a horrible idea”. Of course, it is! And for sure, your IT Sec will give you a lot of grief if you did all that.
But what’s the alternative? How can you use a privileged credential with a limited scope that doesn’t have to be excluded from multi-factor authentication? You’re in luck because that’s what this article will teach you.
In this article, you’ll learn about what Azure Service Principal is. You’ll learn how to create service principals with different types of credentials, such as passwords, secret keys, and certificates.
There are many tools to create Azure Service Principals. These include using the Azure Portal, Azure Active Directory Admin Center, Azure AD PowerShell, Azure CLI, and Azure PowerShell. The tool that will be the focus of this article is the Azure PowerShell.
Still interested? Keep on reading and let’s get started!
Since this is a learning-by-doing article, here are some prerequisites so you can follow along.
- Access to an Azure subscription. It would be best if you’re working on a test tenant. If you don’t have one, you could register for a free trial.
- Access to a computer that is running on Windows 10 with PowerShell 5.1.
- The Azure PowerShell module must be installed.
Azure Service Principal vs. Service Account
Automation tools and scripts often need admin or privileged access. Like, provisioning storage accounts or starting and stopping virtual machines at a schedule. And most admins probably use a fully privileged user account (called a service account) to set up the credential requirements for scripts.
A service account is essentially a privileged user account used to authenticate using a username and password. And, if used with automation, a service account is most likely excluded from any…