MicrosoftDocs
diff --git a/‎articles/openshift/howto-create-service-principal.md
Lines changed: 36 additions & 56 deletions b/‎articles/openshift/howto-create-service-principal.md
Lines changed: 36 additions & 56 deletions
diff --git a/‎articles/openshift/media/authentication-openshift-sp.png
104 KB b/‎articles/openshift/media/authentication-openshift-sp.png
104 KB
diff --git a/‎articles/openshift/media/basics-openshift-sp.png
56.6 KB b/‎articles/openshift/media/basics-openshift-sp.png
56.6 KB
diff --git a/‎articles/openshift/media/openshift-service-principal-portal.png
0 Bytes b/‎articles/openshift/media/openshift-service-principal-portal.png
0 Bytes
@@ -18,55 +18,34 @@ To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires an Azur
 
 This article explains how to create and use a service principal for your Azure Red Hat OpenShift clusters using the Azure command-line interface (Azure CLI) or the Azure portal.
 
-## Before you begin  
-
-The user creating an Azure AD service principal must have permissions to register an application with your Azure AD tenant and to assign the application to a role in your subscription. You need **User Access Administrator** and **Contributor** permissions at the resource-group level to create service principals.
-
-Use the following Azure CLI command to add these permissions.
-
-```azurecli-interactive
-az role assignment create \
-    --role 'User Access Administrator' \
-    --assignee-object-id $SP_OBJECT_ID \ 
-    --resource-group $RESOURCEGROUP \
-    --assignee-principal-type 'ServicePrincipal'
-
-az role assignment create \
-    --role 'Contributor' \
-    --assignee-object-id $SP_OBJECT_ID \
-    --resource-group $RESOURCEGROUP \
-    --assignee-principal-type 'ServicePrincipal'
-```
-
-If you don't have the required permissions, you can ask your Azure AD or subscription administrator to assign them. Alternatively, your Azure AD or subscription administrator can create a service principal in advance for you to use with the Azure Red Hat OpenShift cluster. 
-
-If you're using a service principal from a different Azure AD tenant, there are more considerations regarding the permissions available when you deploy the cluster. For example, you may not have the appropriate permissions to read and write directory information. 
-
-For more information on user roles and permissions, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
-
 > [!NOTE]
 > Service principals expire in one year unless configured for longer periods. For information on extending your service principal expiration period, see [Rotate service principal credentials for your Azure Red Hat OpenShift (ARO) Cluster](howto-service-principal-credential-rotation.md).
 
 ::: zone pivot="aro-azurecli"
 
 ## Create a service principal with Azure CLI
 
-The following sections explain how to use the Azure CLI to create a service principal for your Azure Red Hat OpenShift cluster.
+The following sections explain how to use the Azure CLI to create a service principal for your Azure Red Hat OpenShift cluster 
 
 ## Prerequisite
 
 If you’re using the Azure CLI, you’ll need Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
 
+## Create a resource group
 
-## Create a service principal - Azure CLI
+```azurecli-interactive
+AZ_RG=$(az group create -n test-aro-rg -l eastus2 --query name -o tsv)
+```
 
- To create a service principal with the Azure CLI, run the `az ad sp create-for-rbac` command. 
+## Create a service principal - Azure CLI
 
-> [!NOTE]
-> When using a service principal to create a new cluster, you may need to assign a Contributor role here. 
+ To create a service principal with the Azure CLI, run the following command.
 
-```azure-cli
-az ad sp create-for-rbac --name myAROClusterServicePrincipal 
+```azurecli-interactive
+# Get Azure subscription ID
+AZ_SUB_ID=$(az account show --query id -o tsv) 
+# Create a service principal with contributor role and scoped to the ARO resource group 
+az ad sp create-for-rbac -n "test-aro-SP" --role contributor --scopes "/subscriptions/${AZ_SUB_ID}/resourceGroups/${AZ_RG}"
 ```
 
 The output is similar to the following example.
@@ -80,26 +59,21 @@ The output is similar to the following example.
 
   "name": "http://myAROClusterServicePrincipal", 
 
-  "password": "", 
+  "password": "yourpassword", 
 
-  "tenant": "" 
+  "tenant": "yourtenantname" t
 
 }
 ``` 
 
 Retain your `appId` and `password`. These values are used when you create an Azure Red Hat OpenShift cluster below. 
+ 
+> [!NOTE]
+> This service principal only allows a contributor over the resource group the ARO cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well. 
 
-## Grant permissions to the service principal - Azure CLI
-
-Grant permissions to an existing service principal with Azure CLI, as shown in the following command.
+For more information, see [Manage service principal roles](/cli/azure/create-an-azure-service-principal-azure-cli#3-manage-service-principal-roles).
 
-```azurecli-interactive
-az role assignment create \
-    --role 'Contributor' \
-    --assignee-object-id $SP_OBJECT_ID \ 
-    --resource-group $RESOURCEGROUP \
-    --assignee-principal-type 'ServicePrincipal'
-```
+To grant permissions to an existing service principal with the Azure portal, see [Create an Azure AD app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md#configure-access-policies-on-resources).
 
 ## Use the service principal to create a cluster - Azure CLI
 
@@ -128,21 +102,17 @@ az aro create \
 
 The following sections explain how to use the Azure portal to create a service principal for your Azure Red Hat OpenShift cluster.
 
-## Create a service principal - Azure portal
+## Create a service principal - Azure portal 
 
-To create a service principal using the Azure portal, see [Create an Azure AD app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md).
-
-## Grant permissions to the service principal - Azure portal
-
-To grant permissions to an existing service principal with the Azure portal, see [Create an Azure AD app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md#configure-access-policies-on-resources).
+To create a service principal using the Azure portal, complete the following steps.
 
-## Use the service principal - Azure portal
+1. On the Create Azure Red Hat OpenShift **Basics** tab, create a resource group for your subscription, as shown in the following example.
 
-When deploying an Azure Red Hat OpenShift cluster using the Azure portal, configure the service principal on the **Authentication** page of the **Azure Red Hat OpenShift** dialog.
+   :::image type="content" source="./media/basics-openshift-sp.png" alt-text="Screenshot that shows how to use the Azure Red Hat service principal with Azure portal to create a cluster." lightbox="./media/basics-openshift-sp.png":::
 
-:::image type="content" source="./media/openshift-service-principal-portal.png" alt-text="Screenshot that shows how to use the Azure Red Hat service principal with Azure portal to create a cluster." lightbox="./media/openshift-service-principal-portal.png":::
+2. Click **Next: Authentication** to configure and deploy the service principal on the **Authentication** page of the **Azure Red Hat OpenShift** dialog.
 
-Specify the following values, and then select **Review + Create**.
+     :::image type="content" source="./media/openshift-service-principal-portal.png" alt-text="Screenshot that shows how to use the Authentication tab with Azure portal to create a service principal." lightbox="./media/openshift-service-principal-portal.png":::
 
 In the **Service principal information** section:
 
@@ -151,5 +121,15 @@ In the **Service principal information** section:
 
 In the **Cluster pull secret** section:
 
-- **Pull secret** is your cluster's pull secret's decrypted value.
+- **Pull secret** is your cluster's pull secret's decrypted value. If you don't have a pull secret, leave this field blank.
+
+After completing this tab, select **Next: Networking** to continue creating your cluster. Select **Review + Create** when you complete the remaining tabs.
+
+> [!NOTE]
+> This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well.
+
+## Grant permissions to the service principal - Azure portal
+
+To grant permissions to an existing service principal with the Azure portal, see [Create an Azure AD app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md#configure-access-policies-on-resources).
+
 ::: zone-end