A service principal represents an application in a tenant and is created in each tenant where the application is used. The Azure AD v1 endpoint allows an application to use its app ID (also known as client ID) across multiple tenants, often in scenarios that include apps that are multi-tenant SaaS apps. These apps need a way to sign in users who belong to different organizations.
To do this, Azure AD has to know the app’s application ID. This way, configurations and permissions that are associated with the app can me managed in each tenant. A service principal object, referred to as an “App registration” in the Azure portal, is created in each tenant where the application is used and allows the use of Azure AD for authentication.
Setting up a Authentication method for a Service Principal
Method 1: Using Azure Portal
Follow these steps to configure an authentication method for your service principal in the Azure portal:
- Step 1: Sign in to the Azure portal.
- Step 2: In the left-hand menu, select “Azure Active Directory,” followed by “Enterprise applications.”
- Step 3: Choose your application from the list of enterprise applications.
- Step 4: In the “Application” panel, select “Settings,” followed by “Authentication/Authorization.”
- Step 5: Here, you will be able to configure the method of authentication. By default, there will be two types: Password-based and Certificate-based authentication.
- Step 6: If you choose Password-based, you would need to enter a Key Value and a Key ID, select a duration for the key, and then click on “Save.”
- Step 7: If you choose Certificate-based, you would need to upload a certificate, insert its valid dates and ID, and then click on “Save.”
Method 2: Using Azure CLI
Through Azure CLI, you can configure the authentication method for service principal as following:
az ad sp create-for-rbac --name http://my-application --password MY_SECURED_PASSWORD
In the above command, replace “http://my-application” with your application’s URL and “MY_SECURED_PASSWORD” with a strong password.
The Azure CLI command will give you output similar to the format below. This includes the appId, password, tenant, and name, which you can use to access resources.
{
"appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",
"displayName": "my-application",
"name": "http://my-application",
"password": "MY_SECURED_PASSWORD",
"tenant": "YOUR_TENANT_ID"
}
Conclusion
When setting up a service principal in Azure, choosing the right authentication method is critical for security purposes. Whether you are using Azure portal or Azure CLI, follow the steps carefully to avoid any misconfiguration. Happy studying for your AZ-500 Microsoft Azure Security Technologies exam!
Practice Test
True/False: A service principal for Azure can be created automatically when creating or modifying an Azure resource.
- True
- False
Answer: True
Explanation: When an Azure resource is created or adjusted that requires a service principal, one will be created automatically.
Single Select: Which tool can you use to create a service principal for Azure?
- A. PowerShell
- B. Azure CLI
- C. Azure portal
- D. All of the above
Answer: D. All of the above
Explanation: A service principal for Azure can be created using PowerShell, Azure CLI, or through the Azure portal.
True/False: A service principal is used to grant specific permissions to a user service or application within Azure.
- True
- False
Answer: True
Explanation: Service principals allow Azure to authenticate services, daemon applications, or other applications that are running in the background and need to access or modify resources.
Multiple Select: Which of the following actions can be accomplished by configuring an authentic method for a service principal?
- A. Authenticate services or applications running in the background.
- B. Grant permissions to a specific user service or application.
- C. Enable the application of role-based access control (RBAC) policies.
- D. Access and manage resources in Azure Active Directory (Azure AD).
Answer: A, B, C, D
Explanation: These are all actions that can be accomplished by properly configuring an authentication method for a service principal in Azure.
True/False: Service principals can be used to delegate permissions to managed identities for Azure resources.
- True
- False
Answer: True
Explanation: This can be done through using role-based access control (RBAC) which applies to service principals as well.
Multiple Select: Which of these statements are true about service principal in Azure?
- A. It represents an application in a tenant.
- B. It enables the application to access the resources it needs.
- C. It is used to authenticate and renew tokens.
- D. It has to be manually created by a user
Answer: A, B, C
Explanation: Service principal represents an application’s identity and role within a tenant, enables access to resources, and helps with token renewal. However, it can be automatically created when needed.
True/False: For ‘Application’ type service principal, a user-assigned managed identity must be created.
- True
- False
Answer: False
Explanation: For ‘Application’ type service principal, a managed identity doesn’t have to be user-assigned. It can also be system-assigned.
Single Select: Which of the following is not a type of service principal in Azure?
- A. Application
- B. Managed Identity
- C. Security Assertion Markup Language
- D. Service Account
Answer: C. Security Assertion Markup Language
Explanation: Security Assertion Markup Language refers to an open standard for exchanging authentication and authorization data, not a type of service principal.
True/False: Only one authentication method can be configured for a service principal.
- True
- False
Answer: False
Explanation: Multiple authentication methods can be configured for a service principal, including client secrets and certificates.
Single Select: Which of the following must you initially set up within the Azure portal for service principal authentication?
- A. Permissions
- B. Resources
- C. Account
- D. Subscription
Answer: D. Subscription
Explanation: The user must initially set up a subscription for the execution environment within the Azure portal. This is part of the prerequisites for setting up service principal authentication.
Multiple Select: Microsoft recommends using which of the following authentications for service principals?
- A. Managed Identities
- B. Password-based
- C. Certificate-based
- D. Multi-Factor Authentication
Answer: A, C
Explanation: Microsoft recommends to use managed identities and certificate-based authentications for service principals due to security considerations.
True/False: A service principal’s permission can be scoped to the level of the subscription, the resource group, or the resource.
- True
- False
Answer: True
Explanation: The service principal’s permission can be set at the desired scope – subscription, resource group or an individual resource.
Single Select: In what format does Azure AD return the credentials of the service principal when using the Azure CLI to create a service principal?
- A. XML
- B. JSON
- C. CSV
- D. TXT
Answer: B. JSON
Explanation: Azure CLI command ‘az ad sp create-for-rbac’ returns the service principal’s credentials in a JSON format.
True/False: The Azure portal can be used to configure role assignments for a service principal at the subscription level.
- True
- False
Answer: True
Explanation: The Azure portal provides an interface to configure the role assignments for a service principal at the subscription level.
Single Select: To authenticate a service principal, which of the following details are required?
- A. Tenant ID
- B. Client ID
- C. Client secret
- D. All of the above
Answer: D. All of the above
Explanation: Tenant ID, client ID, and client secret are required to authenticate a service principal using either Azure CLI or PowerShell.
Interview Questions
What is a service principal in Azure?
A service principal is essentially an identity created for use with applications, hosted services, and automated tools to access specific Azure resources.
How can one configure an authentication method for a service principal?
An authentication method for a service principal can be configured either using Azure Portal, Azure CLI, or using Azure PowerShell.
Where can you find the service principal in Azure portal?
The Service Principal can be found in the Azure Active Directory (Azure AD) by going to App registrations and then selecting the application.
How do you create a new service principal using Azure CLI?
You would use the command “az ad sp create-for-rbac” to create a new service principal in Azure CLI.
Can a service principal have more than one authentication method?
Yes, a service principal can have multiple authentication methods like certificate-based authentication, and password-based authentication.
How can you assign a role to the service principal?
The command “az role assignment create –assignee
Which authentication method is more secure for a service principal: password-based, or certificate-based?
Certificate-based authentication is considered more secure for a service principal compared to password-based authentication.
Can a service principal be used across different Azure subscriptions?
Yes, a service principal is a global object within an organization’s Azure AD instance, therefore, it can be used across different Azure subscriptions if necessary.
How is RBAC connected to configuring an authentication method for a service principal?
Role-Based Access Control (RBAC) is implemented for service principals to control the access of the service principal to specific resources and to configure the authentication method effectively.
How can you delete a service principal using Azure CLI?
You would use the command “az ad sp delete –id
Can the service principal identifier be used to log in from Azure SDK?
Yes, the service principal identifier or appId along with the password or certificate can be used to authenticate from Azure SDK.
How can you configure certificate-based authentication for a service principal?
The configuration of certificate-based authentication involves uploading a public key certificate to Azure Portal during the service principal creation or modifying an existing one.
How do you verify if the service principal has been assigned the correct roles?
You would use the command “az role assignment list –assignee
What is the primary difference between a managed identity and a service principal?
While the two function similarly, managed identities are automatically managed by Azure and do not require you to register them like you do service principals.
Why would an organization use a service principal as opposed to a managed identity?
If the organization has an application that needs to authenticate to Azure resources across different tenants or multiple Azure AD instances in a multi-tenant scenario, a service principal would be more suitable.