Using Azure CLI and PowerShell to Create Service Principals for RBAC

In this blog post, I’ll guide you through the process of creating a service principal using both Azure CLI and PowerShell, as well as assigning it roles for Role-Based Access Control (RBAC). This is a crucial task for managing programmatic access to your Azure resources securely.

Prerequisites

Before we start, make sure you have:

• Azure CLI installed on your machine.
• PowerShell installed on your machine.
• An Azure account with sufficient permissions to create service principals and assign roles.

Creating a Service Principal Using Azure CLI

To create a service principal using Azure CLI, open your terminal or command prompt and run the following command:

az ad sp create-for-rbac --name <YourAppName> --role contributor --scopes /subscriptions/<YourSubscriptionID> --sdk-auth

• Replace <YourAppName> with a name for your service principal.
• Replace <YourSubscriptionID> with your Azure subscription ID.

This command will create a service principal with the Contributor role and display important credentials such as the client ID, tenant ID, and client secret.

Creating a Service Principal Using PowerShell

To create a service principal using PowerShell, first make sure you have the Az PowerShell module installed. Then, run the following command:

$sp = New-AzADServicePrincipal -DisplayName "<ServicePrincipalName>" -Role "<RoleName>" -Scope "<ResourceScope>"

• Replace <ServicePrincipalName> with the name of your service principal.
• Replace <RoleName> with the desired role (e.g., Contributor).
• Replace <ResourceScope> with the resource or subscription you want to assign the role to (e.g., /subscriptions/<YourSubscriptionID>).

This command will create the service principal and return details such as the application ID (client ID) and tenant ID.

Automating Azure Tasks with PowerShell Module

For a more streamlined experience when managing Azure tasks, I recommend checking out the Latzox/LSEMgmtAzure PowerShell module. This module helps manage and monitor Microsoft Azure environments.

GitHub - Latzox/LSEMgmtAzure: A PowerShell module to manage and monitor Microsoft Azure environments, including Azure resource management, cost analysis, storage backup, and VM health checks.

A PowerShell module to manage and monitor Microsoft Azure environments, including Azure resource management, cost analysis, storage backup, and VM health checks. - Latzox/LSEMgmtAzure

GitHubLatzox

Creating a Service Principal with LSEMgmtAzure Module

This module simplifies the process of creating service principals. For example, you can easily create a service principal to automate tasks in Azure DevOps or GitHub Actions:

New-ServicePrincipal -Type "Secret" -DisplayName "MyApp" -Role "Contributor" -Scope "/subscriptions/XXXX"

Alternatively, you can opt for a more secure option by creating federated credentials for GitHub Actions, allowing you to authenticate without needing a secret:

New-ServicePrincipal -Type "FederatedCredential" -DisplayName "MyApp" -Role "Contributor" -Scope "/subscriptions/XXXX"

Using federated credentials reduces the security risk of storing and managing client secrets.

By following these steps, you’ll be able to create service principals in Azure and use them to automate tasks within your Azure environment. For further automation, consider leveraging the PowerShell module to enhance your workflow efficiency.