How to: Use the portal to create an Azure AD application and service principal that can access resources

When you have code that needs to access or modify resources, you can create an identity for the app. This identity is known as a service principal. You can then assign the required permissions to the service principal. This article shows you how to use the portal to create the service principal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization.

Important

Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. If your code runs on a service that supports managed identities and accesses resources that support Azure Active Directory (Azure AD) authentication, managed identities are a better option for you. To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

Create an Azure Active Directory application

Let's jump straight into creating the identity. If you run into a problem, check the required permissions to make sure your account can create the identity.

  1. Sign in to your Azure Account through the Azure portal.
  2. Select Azure Active Directory.
  3. Select App registrations.

    Select app registrations

  4. Select New application registration.

    Add app

  5. Provide a name and URL for the application. Select Web app / API for the type of application you want to create. You can't create credentials for a Native application. You can't use that type for an automated application. After setting the values, select Create.

    Name application

You've created your Azure AD application and service principal.

Assign the application to a role

To access resources in your subscription, you must assign the application to a role. Decide which role offers the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  1. Navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select All services and Subscriptions.

    Select subscription

  2. Select the particular subscription to assign the application to.

    Select subscription for assignment

    If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.

  3. Select Access control (IAM).

  4. Select Add role assignment.

    Select add role assignment

  5. Select the role you wish to assign to the application. To allow the application to execute actions like reboot, start and stop instances, select the Contributor role. By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.

    Select role

  6. Select Save to finish assigning the role. You see your application in the list of users assigned to a role for that scope.

Your service principal is set up. You can start using it to run your scripts or apps. The next section shows how to get values that are needed when signing in programmatically.

Get values for signing in

Get tenant ID

When programmatically signing in, you need to pass the tenant ID with your authentication request.

  1. Select Azure Active Directory.
  2. Select Properties.

    Select Azure AD properties

  3. Copy the Directory ID to get your tenant ID.

    Tenant ID

Get application ID and authentication key

You also need the ID for your application and an authentication key. To get those values, use the following steps:

  1. From App registrations in Azure AD, select your application.

    Select application

  2. Copy the Application ID and store it in your application code.

    Client ID

  3. Select Settings.

    Select settings

  4. Select Keys.

  5. Provide a description of the key, and a duration for the key. When done, select Save.

    Save key

    After saving the key, the value of the key is displayed. Copy this value because you aren't able to retrieve the key later. You provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.

    Saved key

Required permissions

You must have sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure subscription.

Check Azure AD permissions

  1. Select Azure Active Directory.
  2. Note your role. If you have the User role, you must make sure that non-administrators can register applications.

    Find user

  3. Select User settings.

    Select user settings

  4. Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

    View app registrations

If the app registrations setting is set to No, only global administrators can register apps. If your account is assigned to the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you to the global administrator role, or to enable users to register apps.

Check Azure subscription permissions

In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. This action is granted through the Owner role or User Access Administrator role. If your account is assigned to the Contributor role, you don't have adequate permission. You receive an error when attempting to assign the service principal to a role.

To check your subscription permissions:

  1. Select your account in the upper right corner, and select My permissions.

    Select user permissions

  2. From the drop-down list, select the subscription you want to create the service principal in. Then, select Click here to view complete access details for this subscription.

    Find user

  3. View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned to the Owner role, which means that user has adequate permissions.

    Show permissions

Next steps