Service Principal Authn/Authz for Azure PowerShell

  • Article

Azure supports two control planes for managing Azure services: Azure Service Management (ASM) and Azure Resource Manager (ARM), which is the primary control plane going forward. ASM is supported by the production Azure Portal while ARM is supported by the preview Azure Portal.

The Azure PowerShell cmdlets support both control planes with ASM cmdlets being named Verb-AzureNoun and the ARM cmdlets being named Verb-AzureRmNoun. The Azure PowerShell ARM cmdlets support RBAC authentication using Azure Active Directory (AAD) users and service principals. These can be created using the Azure Active Directory support in the Azure Production Portal. This post shows how to use the Azure PowerShell cmdlets v1 to create a service principal and then associate it with an Azure RBAC role allowing it to be used to administer resources managed by the ARM control plane.

This replaces an earlier post which I am leaving up since it provides information on using the AAD PowerShell cmdlets to get additional information about service principals. There is a more extensive description of this topic on the Azure.com website.

Create a Service Principal

In the identity space a service principal is used to represent an application. Consequently, the creation of a service principal requires the creation of an AAD application to which the service principal can be attached. The following shows the use of New-AzureRMADApplication to create an application and then the use of New-AzureRmADServicePrincipal to create a service principal:

$servicePrincipalName = 'https://some/name'
$displayName = 'SomeName'
$password = 'strongPassword'

$azureAdApplication = New-AzureRmADApplication -DisplayName $displayName -HomePage 'https://somehomepage' -IdentifierUris $servicePrincipalName -Password $password

New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

Assign Service Principal to a Role

The service principal must then be assigned to one or more Azure RBAC roles in order to be use ARM operations. The following shows the use of New-AzureRmRoleAssignment to add the service principal to the Reader role at subscription scope and to the Virtual Machine Contributor role for a specified resource group.

New-AzureRmRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $azureAdApplication.ApplicationId

New-AzureRmRoleAssignment -RoleDefinitionName ‘Virtual Machine Contributor’ -ServicePrincipalName $azureAdApplication.ApplicationId –ResourceGroup 'SomeResourceGroup'

These role assignments allow the service principal to view, but not change, resources in the subscription and to create IaaS v2 VMs in the specified resource group. Note that the –ServicePrincipalName parameter may be misnamed since it takes an application ID not the actual service principal name.

Authenticate using the Service Principal

In the Azure PowerShell cmdlets v1 the Login-AzureRmAccount cmdlet is used for authentication. The following shows how to create a secure credential for the service principal and then use that to authenticate:

$securePassword = ConvertTo-SecureString $strongPassword -AsPlainText -Force
$secureCredential = New-Object System.Management.Automation.PSCredential($servicePrincipalName, $securePassword)

$tenantId = (Get-AzureRmSubscription).TenantId

Login-AzureRmAccount -ServicePrincipal -Credential $secureCredential -Tenant $tenantId

The service principal is now authenticated and can successfully invoke ARM operations supported by the roles and scope to which it has been assigned. For example, New-AzureRmResourceGroup fails but Get-AzureRmResourceGroup succeeds.