Register Service Principals
  • Updated on 28 Mar 2019
  • 5 minutes to read
  • Contributors
  • Print
  • Share
  • Dark
    Light

Register Service Principals

  • Print
  • Share
  • Dark
    Light

A Service Principal is an application within Azure Active Directory, which is authorized to access resources or resource group in Azure. Serverless360 uses the authentication tokens of Service Principal to manage the resources.

To know more about Service Principals, read:
Application and service principal objects in Azure Active Directory (Azure AD)
What are service principals and where do they come from?

The first step to get started with your account in Serverless360 after sign up is associating a Service Principal. Serverless360 needs access to manage resources through Azure Resource Manager in Azure Stack, this is achieved by associating the Azure Service Principal with necessary permissions.

You can assign permissions to the service principal that are different than your own Azure account permissions. Typically, these permissions are restricted to exactly what Serverless360 can do.

This involves the following must do activities:

  1. Create a Service Principal
  2. Authorize Service Principal from Azure Portal and provide 'Contributor' access on the resource group to manage
  3. Register Service Principal in Serverless360

In order to associate the Service Principal with Serverless360, you will need the following values:
1.Subscription ID - The Subscription Id of the Azure Subscription in which the resource group / the resource exist
2. Tenant ID - Azure Active Directory Id
3. Client ID - Id of the Service Principal object / App registered with the Active Directory
4. Client Secret - Authentication password key for this Service Principal

The following content in this document, will help you to collect the values mentioned above.

Get Azure Tenant Id

In Azure Active Directory (Azure AD), a tenant is a representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account. Each Azure AD tenant is distinct and separate from other Azure AD tenants.

To get the Azure Tenant ID:

  1. Navigate to 'Dashboard' in the Azure portal
  2. In the portal, navigate to the ‘Azure Active Directory’ tab in the left side menu
  3. Click the 'Properties' tab under the Manage section
  4. Click the Copy icon against the 'Directory ID' to get the Azure Tenant ID

Tenant id.jpg

Create a Service Principal

  1. Select Azure Active Directory and click 'App registrations'
  2. Click on the 'New Application Registration' link – this will open up a new blade to enter service principal details
  3. Enter a name for the Service Principal, keep the Application Type to default (Web App / API), in the 'Sign-on Url' tab enter any URL - for example – http://localhost.
  4. Once the Service Principal is created successfully, it will be listed in the App Registration grid

Get Client ID and Client Secret

Client ID is a 16-character string that represents the application. To get the ClientId:

  1. Click on the Service Principal > Copy the 'Application ID' from Essentials window. This is your 'Client ID'.

Client ID.png

A Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. To get the Client Secret:

  1. Click on 'Keys' under API Access from the Settings Blade > create a key and provide a name for it. Select when it should expire and click on 'Save'.
  2. Once saved, it will show you the 'Client Secret'.
This Key will be displayed only once, copy this value.

Client Secret.png

Authorize Service Principal from Azure Portal and Provide 'Contributor' access on the resource group to manage

To access resources that are associated in your subscription, you must assign the application to a role. The right permissions for each role is defined based on different use cases.

You can set the scope at the level of the subscription, resource group, or resource.

Permissions are inherited to lower levels of scope. For example you can add an application to the Contributor / Owner role for a resource group. This means, it can access the resource group and any resources it contains.

To authorize the service principal to access a resource group:

  1. Navigate to the Resource Group/ Resource > Click on “Access Control (IAM)”. As you click on Access Control – it will list all the service accounts which are authorized to access the selected Resource Group.
  2. Add new permission for the created Service Principal. Click on the “Add” button on the top left of this blade. Select a role and App. Please refer to the image below.
  3. In the Role drop-down, you will find a lot of pre-defined roles scoped to specific resource types / resource with different permissions- like Reader, Manager etc.
  4. Select “Contributor” from the list.
Why does Serverless360 need 'Contributor' access for the Service Principal?
Serverless360 has got capabilities to manage and monitor Azure Serverless Applications. We need to access the entities in their subscription and perform operations on them. The required permission to achieve these capabilities is ‘Contributor access’. Please refer this Microsoft documentation
  1. On the next input- type the name of the service principal. It will list the service principals and users for the given name. You can select more than one Service Principal/User here. Select the desired Service Principal’s name and click “Save”.

authorize sp.png

  1. In few seconds the portal will notify you that the user has been added and can perform the operations with allowed permissions.
It may take some time for the above configurations to take effect.

We have simplified the steps here for your ease. For more information, read:
Use portal to create an Azure Active Directory application and service principal that can access resources

Get Subscription ID

The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.

Get the Id of the subscription which contains the resource group / resource to which you have authorized the Service Principal in the above steps

Here is a quick step by step guide on how to get your Subscription ID from the New Azure Portal.

  1. Browse to https://portal.azure.com and Sign into your account.
  2. In the portal, navigate to the ‘Subscriptions’ tab in the left side menu. If the tab is not visible, then click on the ‘More services’ tab to find it.
  3. In the Subscriptions blade, all the subscriptions will be listed and copy the ID from ‘Subscription ID’ column.

Subscription ID.jpg

Registering Service Principals

An illustration to help registering Service Principal in Serverless360 after all above steps are completed. A Friendly Name helps you to identify a service principal in Serverless360, if you register many.

Associate multiple subscriptions with single Service Principal
If you are using the same Service Principal to authorize entities from different subscriptions, the Service Principal should be associated multiple times, once with each of the subscription ids with different friendly names in Serverless360

Guide to register Service Principal in Serverless360

We'd love to hear your thoughts
Please visit our feedback system to suggest new Features or Enhancements. You can also take a look at our Roadmap
Was this article helpful?