Rediger

Del via


Azure authentication with service principal

This article looks at how the Azure Identity library supports Microsoft Entra token authentication via service principal. This article covers the following subjects:

For more information, see Application and service principal objects in Microsoft Entra ID. For troubleshooting service principal authentication issues, see Troubleshoot service principal authentication.

Create a service principal with the Azure CLI

Use the following Azure CLI examples to create or get client secret credentials.

Use the following command to create a service principal and configure its access to Azure resources:

az ad sp create-for-rbac \
    --name <your application name> \
    --role Contributor \
    --scopes /subscriptions/mySubscriptionID

This command returns a value similar to the following output:

{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
}

Use the following command to create a service principal along with a certificate. Note down the path/location of this certificate.

az ad sp create-for-rbac \
    --name <your application name> \
    --role Contributor \
    --cert <certificate name> \
    --create-cert

Check the returned credentials and to note down the following information:

  • AZURE\_CLIENT\_ID for the appId.
  • AZURE\_CLIENT\_SECRET for the password.
  • AZURE\_TENANT\_ID for the tenant.

Client secret credential

This credential authenticates the created service principal through its client secret (password). This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientSecretCredential.

/**
 *  Authenticate with client secret.
 */
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
  .clientId("<your client ID>")
  .clientSecret("<your client secret>")
  .tenantId("<your tenant ID>")
  .build();

// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
  .vaultUrl("https://<your Key Vault name>.vault.azure.net")
  .credential(clientSecretCredential)
  .buildClient();

Client certificate credential

This credential authenticates the created service principal through its client certificate. This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientCertificateCredential.

/**
 *  Authenticate with a client certificate.
 */
ClientCertificateCredential clientCertificateCredential = new ClientCertificateCredentialBuilder()
  .clientId("<your client ID>")
  .pemCertificate("<path to PEM certificate>")
  // Choose between either a PEM certificate or a PFX certificate.
  //.pfxCertificate("<path to PFX certificate>", "PFX CERTIFICATE PASSWORD")
  .tenantId("<your tenant ID>")
  .build();

// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
  .vaultUrl("https://<your Key Vault name>.vault.azure.net")
  .credential(clientCertificateCredential)
  .buildClient();

Next steps

This article covered authentication via service principal. This form of authentication is one of multiple ways you can authenticate in the Azure SDK for Java. The following articles describe other ways:

If you run into issues related to service principal authentication, see Troubleshoot service principal authentication.

After you've mastered authentication, see Configure logging in the Azure SDK for Java for information on the logging functionality provided by the SDK.