Creating password-based ServicePrincipal using CLI with ease
Sharing my way of creating a password-based ServicePrincipal in Azure using CLI to quickly carry on scripting and testing in the current terminal session without losing the identity and password.
Of course, you can save the password generated and save it some where safe to continue using ServicePrincipal account to perform tasks for automation.
It is a snippet of codes to make life easy.
Creating an Azure ServicePrincipal
This is how to create a password-based ServicePrincipal account in Azure. You
can choose to use AzCLI
or PowerShell
with Az
PowerShell module.
AzCLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Create password-based ServicePrincipal" ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Log in as Azure global administrator" ;
az login ;
export \
service_principal_display_name='sp-cli' \
\
password=$(az ad sp create-for-rbac \
--name "$service_principal_display_name" \
--query 'password' \
--output 'tsv') \
\
app_id=$(az ad sp show \
--id "http://$service_principal_display_name" \
--query 'appId' \
--output 'tsv') \
\
tenant_id=$(az ad sp show \
--id "http://$service_principal_display_name" \
--query 'appOwnerTenantId' \
--output 'tsv') ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Log out Azure global administrator" ;
az logout ;
if [ "$(az login \
--service-principal \
--username $app_id \
--password $password \
--tenant $tenant_id \
--query '[0].tenantId' \
--output 'tsv')" = $tenant_id ] ;
then \
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"ServicePrincipal password-based creation succeeded." ;
echo "# Please remember to copy the password and keep it safe." ;
echo "AppId: $app_id" ;
echo "DisplayName: $service_principal_display_name" ;
export \
service_principal_name="http://$service_principal_display_name" ;
echo "Name: $service_principal_name" ;
echo "Password: $password" ;
echo "TenantId: $tenant_id" ;
else \
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"ServicePrincipal password-based creation failed." ;
fi ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Display current session login user detail." ;
az account show \
--query user \
--output tsv ;
# Do something using ServicePrincipal account privileges
↑Top
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Create password-based ServicePrincipal") ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Log in as Azure global administrator") ;
Connect-AzAccount ;
$ServicePrincipalDisplayName = "sp-cli" ;
$TenantId = (Get-AzContext).Tenant.Id ;
$ServicePrincipal = New-AzADServicePrincipal `
-DisplayName $ServicePrincipalDisplayName ;
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto( `
[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR( `
$ServicePrincipal.Secret)) ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Log out Azure global administrator") ;
Logout-AzAccount ;
if($(Connect-AzAccount `
-ServicePrincipal `
-Credential $(New-Object `
-TypeName "System.Management.Automation.PSCredential" `
-ArgumentList ("$($ServicePrincipal.ApplicationId)", `
(ConvertTo-SecureString `
-String "$($Password)" `
-AsPlainText `
-Force))) `
-Tenant "$($TenantId)" `
-Force).Context.Account.Id -eq $ServicePrincipal.ApplicationId) `
{ `
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"ServicePrincipal password-based creation succeeded.") ;
Write-Host "# Please remember to copy the password and keep it safe." ;
Write-Host "AppId: $($ServicePrincipal.ApplicationId)" ;
Write-Host "DisplayName: $($ServicePrincipalDisplayName)" ;
Write-Host "Name: $($ServicePrincipal.ServicePrincipalNames[1])" ;
Write-Host "Password: $($Password)" ;
Write-Host "TenantId: $($TenantId)" ;
} `
else `
{ `
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"ServicePrincipal password-based creation failed.") ;
} ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Display current session login user detail.") ;
$(Get-AzContext).Account `
| Select-Object `
-Property `
Id, `
Type ;
# Do something using ServicePrincipal account privileges
↑Top
Removing Azure ServicePrincipal
This is how to remove the password-based ServicePrincipal account in Azure. You
can choose to use AzCLI
or PowerShell
with Az
PowerShell module.
AzCLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# After doing something using ServicePrincipal account privileges
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Remove password-based ServicePrincipal" ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Log in as Azure global administrator" ;
az login ;
if [ "$(az ad sp show \
--id "http://$service_principal_display_name" \
--query 'appId' \
--output 'tsv')" = $app_id ] ;
then \
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"ServicePrincipal Application Id ($app_id) found." ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Deleting ServicePrincipal" ;
az ad sp delete \
--id $app_id ;
else \
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"ServicePrincipal Application Id ($app_id) not found." ;
fi ;
echo "# $(date '+%Y-%m-%d %H:%M:%S %z') -" \
"Log out Azure global administrator" ;
az logout ;
↑Top
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# After doing something using ServicePrincipal account privileges
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Remove password-based ServicePrincipal") ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Log in as Azure global administrator") ;
Connect-AzAccount ;
if($(Get-AzADServicePrincipal `
-DisplayName $ServicePrincipalDisplayName).ApplicationId `
-eq `
$ServicePrincipal.ApplicationId) `
{ `
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"ServicePrincipal Application Id ($($ServicePrincipal.ApplicationId)) found.") ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Deleting ServicePrincipal") ;
Remove-AzADServicePrincipal `
-ApplicationId $ServicePrincipal.ApplicationId `
-Force ;
} `
else `
{ `
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"ServicePrincipal Application Id ($($ServicePrincipal.ApplicationId)) not found.") ;
} ;
Write-Host $("{0}{1}" `
-f "# $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss zzz') - ", `
"Log out Azure global administrator") ;
Logout-AzAccount `
| Out-Null ;
↑Top
References
- Microsoft Docs - Create an Azure service principal with Azure CLI
- Microsoft Docs - Create an Azure service principal with Azure PowerShell
- Microsoft Docs - az ad sp
- Microsoft Docs - New-AzADServicePrincipal
↑Top
Related Books
↑Top