0
0
Azurecloud~5 mins

Service principals for applications in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When an application needs to access Azure resources securely, it uses a service principal. This is like giving the app its own identity and permissions, so it can work without needing a user to sign in.
When you want an app to access Azure resources automatically without user interaction.
When setting up automated scripts or services that need to manage Azure resources.
When you want to control and limit what an app can do in your Azure environment.
When integrating third-party apps that need permission to your Azure resources.
When building CI/CD pipelines that deploy or manage Azure infrastructure.
Commands
This command creates a service principal named 'my-app-sp' with Contributor role on the specified subscription. It gives the app permissions to manage resources in that subscription.
Terminal
az ad sp create-for-rbac --name my-app-sp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000
Expected OutputExpected
{ "appId": "11111111-1111-1111-1111-111111111111", "displayName": "my-app-sp", "name": "http://my-app-sp", "password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "tenant": "22222222-2222-2222-2222-222222222222" }
--name - Sets the name of the service principal.
--role - Assigns a role to the service principal for permissions.
--scopes - Defines the scope where the role applies, like a subscription.
This command lists the service principal named 'my-app-sp' to verify it was created successfully.
Terminal
az ad sp list --display-name my-app-sp
Expected OutputExpected
[{ "appId": "11111111-1111-1111-1111-111111111111", "displayName": "my-app-sp", "objectId": "33333333-3333-3333-3333-333333333333", "servicePrincipalType": "Application" }]
--display-name - Filters the list by the service principal's name.
This command deletes the service principal by its appId when it is no longer needed, cleaning up permissions.
Terminal
az ad sp delete --id 11111111-1111-1111-1111-111111111111
Expected OutputExpected
No output (command runs silently)
--id - Specifies the objectId of the service principal to delete.
Key Concept

If you remember nothing else from this pattern, remember: a service principal is a secure identity for an app to access Azure resources without a user.

Common Mistakes
Not specifying the correct scope when creating the service principal.
The service principal will not have permissions where needed, causing failures.
Always set the --scopes flag to the exact subscription or resource group the app needs access to.
Sharing the service principal password publicly or in unsecured places.
This exposes your Azure resources to unauthorized access.
Keep the password secret and use secure storage like Azure Key Vault.
Not deleting unused service principals.
Unused principals increase security risks and clutter your environment.
Regularly review and delete service principals that are no longer needed.
Summary
Create a service principal with az ad sp create-for-rbac to give an app permissions.
Verify the service principal exists with az ad sp list using its name.
Delete the service principal with az ad sp delete when it is no longer needed.