A service principal in Azure Active Directory (Azure AD) is essentially an identity for an application, allowing it to authenticate and authorize access to Azure resources.
To create a service principal, you can use the Azure portal, Azure CLI, or Azure PowerShell.
A service principal is a unique entity within Azure AD, with its own name, ID, and credentials.
In Azure AD, a service principal is represented by a client ID, which is a unique identifier for the application.
Azure AD uses the client ID to authenticate and authorize access to Azure resources.
What is Azure Principal?
Azure Service Principals are security identity objects for use with applications, services, and tools that need access to resources within an Azure tenant.
They stop you from having to create a “fake” user within your Active Directory environment for a service, which is especially helpful if you come from an on-prem world.
Service Principals can be created and managed using Azure portal, Azure CLI, Azure PowerShell, or Azure SDKs.
An audit trail with Service Principals shows access attempts and activity, which can help you meet compliance and regulatory requirements.
Types of Azure Principals
There are two types of Azure Principals: Service Principals and Managed Identities. Service Principals are security identity objects for use with applications and services that need access to resources within an Azure tenant.
Service Principals can be created and managed using the Azure portal, Azure CLI, Azure PowerShell, or Azure SDKs. They provide an audit trail with access attempts and activity, which can help meet compliance and regulatory requirements.
Managed Identities, on the other hand, are similar to Service Principals but remove the need to create and manage them. They are created automatically and can be either system-assigned or user-assigned.
Principal Example
As an example of an Azure principal, let's consider a service principal. It's useful when an administrator wants to use Terraform to build or update an Azure cloud environment without having to provide credentials.
You can create a service principal by opening the Azure portal and using the BASH command-line interface (CLI) to enter a command, substituting your own name for the service principal.
The command will take a few minutes to process, and you'll see a warning about role assignments.
The service principal is assigned the Contributor role by default, which grants permission to read, write, or change information and objects.
You can restrict these permissions by changing the role to Reader, which grants read-only privileges.
To assign the Reader role when creating a service principal, you can use a specific command.
You'll need to securely note down the credentials shown in Figure 1, as they won't be shown again.
By default, service principals have a lifespan of one year before the password expires.
You can test the service principal's credentials by logging in and using the Azure CLI to run a command.
Specify the app_id, password, and tenant_id to use the assigned credentials.
For example, when admins assign the Reader role to a service principal, they grant read-only rights to the tenant.
You can restrict these permissions to certain management groups or individual resources, such as VMs or load balancers.
Principal vs Managed Identities
Azure Service Principals and Managed Identities are both used for managing authentication and authorization in Azure, but they differ in their implementation and use cases.
Both Service Principals and Managed Identities enable fine-grained, programmatic access to Azure infrastructure without having to put passwords into scripts.
Service Principals are typically used when a service or application needs access to Azure resources without requiring user interactions, and they can be created and managed using Azure portal, Azure CLI, Azure PowerShell, or Azure SDKs.
Managed Identities, on the other hand, can be system-assigned or user-assigned, and with system-assigned managed identities, admins create the identity as a part of a specific Azure resource, such as a VM.
With Managed Identities, admins do not have to manage credentials, including passwords, which simplifies identity management and reduces the risk of compromised credentials.
The key difference between Azure Service Principals and Managed Identities is that Managed Identities have their own lifecycle and can be shared across resources, whereas Service Principals are tied to a specific application or service.
ID
In Azure DevOps, you'll need the Client ID, which is also known as the appId, for setting up a Service Connection.
The Client ID is not the same as the Object ID, which is a single GUID that can be obtained, but it's not the correct value to use in a Service Connection or Azure RBAC assignment.
You'll actually need the Service Principal ID, which is also a single GUID, to use in Azure RBAC assignments in your Bicep files.
Key Concepts
A service principal in Azure is an identity created for an application or a service, allowing it to interact with Azure resources securely.
This identity is used to authenticate and authorize the application to perform specific actions within Azure.
A service principal can be thought of as a user account for an application, with its own set of permissions and access rights.
It's often used to grant access to Azure resources, such as storage accounts, virtual machines, and databases.
A service principal can be created using the Azure portal, Azure CLI, or Azure PowerShell.
By default, a service principal has a client ID, client secret, and tenant ID, which are used for authentication and authorization.
These values can be used to authenticate the application to Azure using various authentication protocols, such as OAuth and Active Directory Federation Services (ADFS).
Using Azure Principals
Azure Service Principals are security identity objects for use with applications, services, and tools that need access to resources within an Azure tenant.
You can create and manage Service Principals using Azure portal, Azure CLI, Azure PowerShell, or Azure SDKs.
Service Principals can be used when a service or application needs access to Azure resources without requiring user interactions, eliminating the need for a "fake" user within your Active Directory environment.
An audit trail with Service Principals shows access attempts and activity, which can help you meet compliance and regulatory requirements.
To create a Service Principal, you can use the Azure portal, Azure CLI, or Azure PowerShell, and assign a role such as Contributor or Reader to restrict permissions.
Here are the two types of Managed Identities:
User-assigned managed identities can be created and managed separately from Azure resources, and can be deleted or updated without impacting resources that use them.
Azure Managed Identities
Azure Managed Identities are a game-changer for simplifying identity management in Azure. They are similar to Azure Service Principals but remove the need to create and manage a Service Principal.
Azure Managed Identities are automatically created for you, which means you don't have to worry about setting them up or managing them. This is a huge time-saver, especially for large enterprises with complex Azure setups.
There are two types of Managed Identities: system-assigned and user-assigned. System-assigned managed identities are tied to a specific Azure resource, while user-assigned managed identities are created and managed separately from any Azure resources that use them.
A system-assigned managed identity is deleted when the Azure resource it's tied to is deleted. This is a key difference between system-assigned and user-assigned managed identities.
Here's a quick rundown of the two types of Managed Identities:
User-assigned managed identities are often used in scenarios where a single identity needs to access multiple resources across multiple subscriptions, or when multiple applications or services need to access the same set of resources. This makes them a great option for large-scale Azure deployments.
Parameters
Azure Principals use a hierarchical structure that allows for efficient management of access and permissions across your Azure resources.
Scopes are the foundation of this structure, and they can be assigned at various levels, such as subscriptions, resource groups, or even individual resources.
A scope can have multiple child scopes, which inherit the permissions of their parent scope.
Azure Principals use a concept called "role definitions" to define the permissions and actions that a Principal can perform.
Role definitions can be assigned to Principals at different scopes, allowing for fine-grained control over access and permissions.
The built-in role definitions in Azure include roles such as "Contributor" and "Reader", which can be assigned to Principals for specific tasks.
Using Client ID in Azure DevOps
Using Client ID in Azure DevOps is a straightforward process. You'll need to use the Client ID, also known as appId, for setup.
In Azure DevOps, you'll be presented with a form that includes a field labeled "Service Principal Id" with a subtitle "Client Id" below it. This is where you'll find the Client ID you need to use.
The Client ID is a critical piece of information for setting up a new Service Connection in Azure DevOps. It's essential to get it right to avoid any issues.
Frequently Asked Questions
Where is the Azure service principal?
Find the Azure service principal in App Registrations under Azure Active Directory, where it's listed as the application ID
What is the difference between user account and service principal in Azure?
In Azure, a user account represents a person, while a service principal is an app registration that doesn't require a license. This distinction affects how you manage and authenticate access in your Azure tenant.
What is spn in Azure DevOps?
In Azure DevOps, a Service Principal Name (SPN) is a unique identifier for a service principal, which is a security object that defines an application's permissions and access to Azure resources. This SPN is used to authenticate and authorize the application's interactions with Azure services.
What is the difference between service principal and service account in Azure?
In Azure, a service principal is an app registration, whereas a service account is a regular user, with the key difference being that service principal doesn't require a license. This distinction is crucial for managing access and costs in your Azure tenant.
Sources
- https://www.techielass.com/azure-service-principals-and-azure-managed-identities/
- https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals
- https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html
- https://powerplatformuniverse.com/power-platform/set-up-service-principal-in-azure-to-work-with-power-platform/
- https://blog.siliconvalve.com/posts/2023/06/27/working-with-service-principals-in-azure-bicep-and-azure-devops
Featured Images: pexels.com