Azure Service Principals 101

by Steven Cooney
Share on:

I was recently talking to a colleague who was starting with Azure for the first time, we were discussing authentication methods, especially when using external tools. When interacting with Azure programmatically, you soon stumble across service principals, however, for someone new to Azure what are Service Principals and some of the useful commands used to manage them?

What is a Service Principal?

Azure uses Active Directory (AD) to manage users and other access to Azure services and resources. When a user logs onto Azure, they have a User identity object within AD that has associated permissions and roles dictating their access within Azure.

Often there are requirements to have programmatic access to Azure resources and services. One example may be automated tools within CI/CD to deploy an application or access Azure services. Rather than creating a "dummy/fake" user identity within AD, we create a Service Principal.

Service Principals can have their permission scoped to only interact with a particular set of resources or services. Furthermore, roles outline the actions that the service principal can perform on the resources or services.

List Service Principals

There are tons of built-in Service Principals (SPs) within Azure such as SPs for Office 365 whether you use it or not. To find SPs that you've created, it's best filtering out to only include those within your Azure Tenant.

az ad sp list --filter "publisherName eq 'Default Directory'"

Create a Service Principal

When creating a service principal, you should specify a name for easier management in the future. You should also only give it the minimum roles and scopes required to undertake the desired action.

az ad sp create-for-rbac -n "MyAwesomeApp" --role Reader --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}

For all parameters, you can refer to the documentation for az ad sp create-for-rbac.

Find Expired Service Principals

There is a quota limit on Service Principals within an Azure Tenant not to mention it's probably good hygiene to clean up after yourself. So we sometimes want to find expired Service Principals to either delete or renew them.

Below is a Powershell command to list all Service Principals that have expired. We first get a list of all Service Principals within our Tenant then loop over them checking the expiry date, only outputting those that have expired.

$spns = az ad sp list --filter "publisherName eq 'Default Directory'" | ConvertFrom-Json | Select appId, displayName | Sort-Object -Property displayName
foreach ($spn in $spns) {
    az ad sp credential list --id $spn.appId | ConvertFrom-Json | Where-Object endDate -lt $(Get-Date) | Select @{Name="displayName";expression={$spn.displayName}}, keyId, startDate, endDate

Renew/Update a Service Principal

When Service Principals expire, they need to be renewed. Likewise, if the Service Principal secret is exposed, it must be regenerated. The command below resets the service principal generating a new secret key and expiry.

az ad sp credential reset --name "MyAwesomeApp"

For all parameters, you can refer to the documentation for az ad sp credential reset.

Delete a Service Principal

Once you have no use for a Service Principal, you should delete it removing access to Azure. Although I haven't touched upon it much in this post, it is possible to have multiple credentials assigned to a Service Principal. Multiple credentials are useful when you have more than one Azure Tenant.

Below is a command to delete a Service Principal, all credentials, roles and scopes.

az ad sp delete --id "MyAwesomeApp"

For all parameters, you can refer to the documentation for az ad sp delete or deleting a single credential on a Service Principal az ad sp credential delete.

If you enjoyed this article, share it with your friends and colleagues!

© 2021 - TheYorkshireDev