Abstract
Azure AD is the centralized authentication and
authorization mechanism for Azure. Any administration operation on Azure
environment can be performed only if you are part of Azure AD.
The common questions I get are –
- How
do I authenticate to perform Azure management operations without using actual User
credentials?
- How
do I authenticate Azure Resource Manager Request?
- To
call management REST APIs of Azure, how do I generate authentication token
using Azure AD?
- To
call management REST API of Azure, how do I generate and pass authentication
token from my application?
Answer to all above questions is – Azure AD Service Principal
or App registration.
This blog post explains
- -
why you need Azure AD service principal,
- -
how can you create your azure AD service
principal,
- -
what can you do with Azure AD service
principal.
Why you need Azure AD service principal?
Example, if you want to create a VM in Azure from
portal; you first must be part of Azure AD as a user. Then, Azure subscription
always belong to Azure AD; so your user id should have enough rights on Azure
subscription.
However, to perform such administrative operation you
can’t use actual user credentials/ authorization. There are numerous scenarios
where you want rights on Azure subscription but not as a user; rather as an
application. For example, provisioning infra on Azure using “Infrastructure as
Code” approach. Or changing the pricing tier of VM/ or a service on Azure using
an application and by not using Azure portal. This is where we need Azure
Service Principal AD.
Leap back in history – what is Azure AD service principal?
The service principal is an entity that powers Logic
apps to perform an administrative action against azure account. But, what is
service principal?
Last year I wrote a detailed blog on making azure
automation account powerful enough to perform administrative actions against
azure account using service principal. Please read the same to know more about
Service principal and how to create the same in Azure using “Azure AD App
registration” -
I am assuming that you are not lazy and must have gone
through what is service principal. The service principal mentioned in that blog
is the one that gets created automatically when you create an automation
account. In this article how can I create app registration manually and then
use the same to generate authentication token to perform wonders in Azure
administrative operations.
How to create an Azure service principal?
There are two ways. One using traditional way of app
registration on Azure AD; second is using v2.0 endpoint. As of today [18th
Apr 2019] there are limitations on using v2.0 endpoint based app registrations.
Refer to below document to decide on whether you need 1.0 or 2.0 endpoint - https://docs.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison .This
may change in future. Therefore we will be using traditional way of app
registration and it works best.
Azure AD v1.0 endpoint based app registration
For registering app you may not need to be Azure AD
admin. However when it comes to providing the permissions to an app about what
it can do; does require admin rights for Azure AD/ Azure subscription owner
access.. Therefore it is always best to get it done from your IT team.
Open Azure portal and open Azure AD instance in the
portal. You should have similar page as below –
If you observe above screenshot there are total 2
options for app registration. Select the one where “Preview” is not written. Click
on “New Application Registration” option. Enter the values as shown below –
Record Tenant ID, application Id and secret key
After successful application registration in Azure AD
you will land on the screen as below. Then click on “Settings” -> “keys”
Make sure you copy the application id and keep it safe.
We will require it for generating token.
Then provide the information as below and click “Save”.
On successful save a key will be generated and visible only until you close the
window. Once you close the window the generated key is never displayed again.
So keep it safe. Based on the expiration setup; the key will become invalid.
For example if you selected 1 year as validity then key will expire after a
year from the date of generation.
Tenant id means unique Id of your Azure Active Directory.
It is available under “Properties” option under Azure active directory as shown
below. Record it and keep it safe.
