Merge pull request #231843 from rpsqrd/docs-editor/onboard-service-principal-1679581037

v-dirichards · web-flow · commit 6588dd75345f · 2023-03-23T10:11:48.000-05:00
Update onboard-service-principal.md
diff --git a/articles/azure-arc/servers/onboard-service-principal.md b/articles/azure-arc/servers/onboard-service-principal.md
@@ -53,41 +53,28 @@ The Azure Arc service in the Azure portal provides a streamlined way to create a
 
 You can use [Azure PowerShell](/powershell/azure/install-az-ps) to create a service principal with the [New-AzADServicePrincipal](/powershell/module/Az.Resources/New-AzADServicePrincipal) cmdlet.
 
-1. Run the following command. You must store the output of the [`New-AzADServicePrincipal`](/powershell/module/az.resources/new-azadserviceprincipal) cmdlet in a variable, or you will not be able to retrieve the password needed in a later step.
-
+1. Check the context of your Azure PowerShell session to ensure you're working in the correct subscription. Use [Set-AzContext](/powershell/module/az.accounts/set-azcontext) if you need to change the subscription.
+    
     ```azurepowershell-interactive
-    $sp = New-AzADServicePrincipal -DisplayName "Arc-for-servers" -Role "Azure Connected Machine Onboarding"
-    $sp
-    ```
-
-    ```output
-    Secret                : System.Security.SecureString
-    ServicePrincipalNames : {ad9bcd79-be9c-45ab-abd8-80ca1654a7d1, https://Arc-for-servers}
-    ApplicationId         : ad9bcd79-be9c-45ab-abd8-80ca1654a7d1
-    ObjectType            : ServicePrincipal
-    DisplayName           : Hybrid-RP
-    Id                    : 5be92c87-01c4-42f5-bade-c1c10af87758
-    Type                  :
+    Get-AzContext
     ```
-
-2. To retrieve the password stored in the `$sp` variable, run the following command:
-
+    
+1. Run the following command to create a service principal and assign it the Azure Connected Machine Onboarding role for the selected subscription. After the service principal is created, it will print the application ID and secret. The secret is valid for 1 year, after which you'll need to generate a new secret and update any scripts with the new secret.
+   
     ```azurepowershell-interactive
-    $credential = New-Object pscredential -ArgumentList "temp", $sp.Secret
-    $credential.GetNetworkCredential().password
+    $sp = New-AzADServicePrincipal -DisplayName "Arc server onboarding account" -Role "Azure Connected Machine Onboarding"
+    $sp | Format-Table AppId, @{ Name = "Secret"; Expression = { $_.PasswordCredentials.SecretText }}
+    ```
+    ```output
+    AppId                                Secret
+    -----                                ------
+    aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee PASSWORD_SHOWN_HERE
     ```
 
-3. In the output, find the values for the fields **password** and **ApplicationId**. You'll need these values later, so save them in a secure place. If you forget or lose your service principal password, you can reset it using the [`New-AzADSpCredential`](/powershell/module/az.resources/new-azadspcredential) cmdlet.
-
-The values from the following properties are used with parameters passed to the `azcmagent`:
-
-- The value from the **ApplicationId** property is used for the `--service-principal-id` parameter value
-- The value from the **password** property is used for the  `--service-principal-secret` parameter used to connect the agent.
-
-> [!TIP]
-> Make sure to use the service principal **ApplicationId** property, not the **Id** property.
-
-4. Assign the **Azure Connected Machine Onboarding** role to the service principal for the designated resource group or subscription. This role contains only the permissions required to onboard a machine. Note that your account must be a member of the **Owner** or **User Access Administrator** role for the subscription to which the service principal will have access. For information on how to add role assignments, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md) or [Assign Azure roles using Azure CLI](../../role-based-access-control/role-assignments-cli.md).
+    The values from the following properties are used with parameters passed to the `azcmagent`:
+    
+    - The value from the **AppId** property is used for the `--service-principal-id` parameter value
+    - The value from the **Secret** property is used for the `--service-principal-secret` parameter used to connect the agent.
 
 ## Generate the installation script from the Azure portal
 
@@ -144,8 +131,21 @@ After you install the agent and configure it to connect to Azure Arc-enabled ser
 
 ![Screenshot showing a successful server connection in the Azure portal.](./media/onboard-portal/arc-for-servers-successful-onboard.png)
 
+
+
+
+
+
+
+
+
+
+
 ## Next steps
 
 - Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.
 - Learn how to [troubleshoot agent connection issues](troubleshoot-agent-onboard.md).
 - Learn how to manage your machines using [Azure Policy](../../governance/policy/overview.md) for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verifying that machines are reporting to the expected Log Analytics workspace, monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and more.
+```
+
+```
