You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Use the portal to create an Azure AD application and service principal that can access resources
17
17
18
-
This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that needs to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
18
+
This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that need to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
19
19
20
20
This article shows you how to use the portal to create the service principal in the Azure portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization. You can also [use Azure PowerShell to create a service principal](howto-authenticate-service-principal-powershell.md).
21
21
@@ -50,17 +50,17 @@ To check your subscription permissions:
50
50
51
51
1. Search for and select **Subscriptions**, or select **Subscriptions** on the **Home** page.
:::image type="content" source="media/howto-create-service-principal-portal/select-subscription.png" alt-text="Screenshot how to search subscription permissions.":::
54
54
55
55
1. Select the subscription you want to create the service principal in.
56
56
57
-
57
+
:::image type="content" source="media/howto-create-service-principal-portal/select-one-subscription.png" alt-text="Select subscription for assignment.":::
58
58
59
59
If you don't see the subscription you're looking for, select **global subscriptions filter**. Make sure the subscription you want is selected for the portal.
60
60
61
61
1. Select **My permissions**. Then, select **Click here to view complete access details for this subscription**.
62
62
63
-
63
+
:::image type="content" source="media/howto-create-service-principal-portal/view-details.png" alt-text="Select the subscription you want to create the service principal in.":::
64
64
65
65
1. Select **Role assignments** to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.
66
66
@@ -74,9 +74,9 @@ Let's jump straight into creating the identity. If you run into a problem, check
74
74
1. Select **Azure Active Directory**.
75
75
1. Select **App registrations**.
76
76
1. Select **New registration**.
77
-
1. Name the application. Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../app-proxy/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.
77
+
1. Name the application, for example "example-app". Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../app-proxy/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.
78
78
79
-
79
+
:::image type="content" source="media/howto-create-service-principal-portal/create-app.png" alt-text="Type a name for your application.":::
80
80
81
81
You've created your Azure AD application and service principal.
82
82
@@ -91,20 +91,22 @@ You can set the scope at the level of the subscription, resource group, or resou
91
91
92
92
1. In the Azure portal, select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select **Subscriptions**, or select **Subscriptions** on the **Home** page.
93
93
94
-
94
+
:::image type="content" source="media/howto-create-service-principal-portal/select-subscription.png" alt-text="For example, assign a role at the subscription scope.":::
95
95
96
96
1. Select the particular subscription to assign the application to.
97
97
98
-
98
+
:::image type="content" source="media/howto-create-service-principal-portal/select-one-subscription.png" alt-text="Select subscription for assignment.":::
99
99
100
100
If you don't see the subscription you're looking for, select **global subscriptions filter**. Make sure the subscription you want is selected for the portal.
101
101
102
102
1. Select **Access control (IAM)**.
103
-
1. Select Select **Add** > **Add role assignment** to open the **Add role assignment** page.
104
-
1.Select the role you wish to assign to the application. For example, to allow the application to execute actions like **reboot**, **start** and **stop** instances, select the **Contributor** role. Read more about the [available roles](../../role-based-access-control/built-in-roles.md) By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.
103
+
1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.
104
+
1.In the **Role** tab, select the role you wish to assign to the application in the list. For example, to allow the application to execute actions like **reboot**, **start** and **stop** instances, select the **Contributor** role. Read more about the [available roles](../../role-based-access-control/built-in-roles.md).
105
105
106
-
Assign the Contributor role to the application at the subscription scope. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
106
+
Select the **Next** button to move to the **Members** tab. Select **Assign access to**-> **User, group, or service principal** and then select **Select members**. By default, Azure AD applications aren't displayed in the available options. To find your application, search by name (for example, "example-app") and select it from the returned list. Click the **Select** button. Then click the **Review + assign** button.
107
107
108
+
:::image type="content" source="media/howto-create-service-principal-portal/add-role-assignment.png" alt-text="Screenshot showing role assignment.":::
109
+
108
110
Your service principal is set up. You can start using it to run your scripts or apps. To manage your service principal (permissions, user consented permissions, see which users have consented, review permissions, see sign in information, and more), go to **Enterprise applications**.
109
111
110
112
The next section shows how to get values that are needed when signing in programmatically.
@@ -117,13 +119,13 @@ When programmatically signing in, pass the tenant ID with your authentication re
117
119
1. From **App registrations** in Azure AD, select your application.
118
120
1. Copy the Directory (tenant) ID and store it in your application code.
119
121
120
-
122
+
:::image type="content" source="media/howto-create-service-principal-portal/copy-tenant-id.png" alt-text="Copy the directory (tenant ID) and store it in your app code.":::
121
123
122
124
The directory (tenant) ID can also be found in the default directory overview page.
123
125
124
126
1. Copy the **Application ID** and store it in your application code.
125
127
126
-
128
+
:::image type="content" source="media/howto-create-service-principal-portal/copy-app-id.png" alt-text="Copy the application (client) ID.":::
127
129
128
130
## Authentication: Two options
129
131
@@ -154,7 +156,7 @@ To upload the certificate:
154
156
1. Select **Certificates & secrets**.
155
157
1. Select **Certificates** > **Upload certificate** and select the certificate (an existing certificate or the self-signed certificate you exported).
156
158
157
-
159
+
:::image type="content" source="media/howto-create-service-principal-portal/upload-cert.png" alt-text="Select Upload certificate and select the one you want to add.":::
158
160
159
161
1. Select **Add**.
160
162
@@ -172,7 +174,7 @@ If you choose not to use a certificate, you can create a new application secret.
172
174
173
175
After saving the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You will provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.
174
176
175
-
177
+
:::image type="content" source="media/howto-create-service-principal-portal/copy-secret.png" alt-text="Copy the secret value because you can't retrieve this later.":::
176
178
177
179
## Configure access policies on resources
178
180
Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](../../key-vault/general/security-features.md#privileged-access) to give your application access to keys, secrets, or certificates.
0 commit comments