Monday, April 22, 2019

How to create service principal or App registration in Azure AD


Azure AD is the centralized authentication and authorization mechanism for Azure. Any administration operation on Azure environment can be performed only if you are part of Azure AD.
The common questions I get are –
  1. How do I authenticate to perform Azure management operations without using actual User credentials?
  2. How do I authenticate Azure Resource Manager Request?
  3. To call management REST APIs of Azure, how do I generate authentication token using Azure AD?
  4. To call management REST API of Azure, how do I generate and pass authentication token from my application?

Answer to all above questions is – Azure AD Service Principal or App registration.
This blog post explains
  • -        why you need Azure AD service principal,
  • -        how can you create your azure AD service principal,
  • -        what can you do with Azure AD service principal.

Why you need Azure AD service principal?

Example, if you want to create a VM in Azure from portal; you first must be part of Azure AD as a user. Then, Azure subscription always belong to Azure AD; so your user id should have enough rights on Azure subscription.
However, to perform such administrative operation you can’t use actual user credentials/ authorization. There are numerous scenarios where you want rights on Azure subscription but not as a user; rather as an application. For example, provisioning infra on Azure using “Infrastructure as Code” approach. Or changing the pricing tier of VM/ or a service on Azure using an application and by not using Azure portal. This is where we need Azure Service Principal AD.

Leap back in history – what is Azure AD service principal?

The service principal is an entity that powers Logic apps to perform an administrative action against azure account. But, what is service principal?
Last year I wrote a detailed blog on making azure automation account powerful enough to perform administrative actions against azure account using service principal. Please read the same to know more about Service principal and how to create the same in Azure using “Azure AD App registration” - 

I am assuming that you are not lazy and must have gone through what is service principal. The service principal mentioned in that blog is the one that gets created automatically when you create an automation account. In this article how can I create app registration manually and then use the same to generate authentication token to perform wonders in Azure administrative operations.

How to create an Azure service principal?

There are two ways. One using traditional way of app registration on Azure AD; second is using v2.0 endpoint. As of today [18th Apr 2019] there are limitations on using v2.0 endpoint based app registrations. Refer to below document to decide on whether you need 1.0 or 2.0 endpoint - .This may change in future. Therefore we will be using traditional way of app registration and it works best.

Azure AD v1.0 endpoint based app registration

For registering app you may not need to be Azure AD admin. However when it comes to providing the permissions to an app about what it can do; does require admin rights for Azure AD/ Azure subscription owner access.. Therefore it is always best to get it done from your IT team.
Open Azure portal and open Azure AD instance in the portal. You should have similar page as below –

If you observe above screenshot there are total 2 options for app registration. Select the one where “Preview” is not written. Click on “New Application Registration” option. Enter the values as shown below –

Record Tenant ID, application Id and secret key

After successful application registration in Azure AD you will land on the screen as below. Then click on “Settings” -> “keys”

Make sure you copy the application id and keep it safe. We will require it for generating token.
Then provide the information as below and click “Save”. On successful save a key will be generated and visible only until you close the window. Once you close the window the generated key is never displayed again. So keep it safe. Based on the expiration setup; the key will become invalid. For example if you selected 1 year as validity then key will expire after a year from the date of generation.

Tenant id means unique Id of your Azure Active Directory. It is available under “Properties” option under Azure active directory as shown below. Record it and keep it safe.

Assign correct permissions to Azure AD App