- Article
In this article, you'll learn how to create an Azure Active Directory (Azure AD) application and service that can be used with role-based access control. When registering a new application with Azure AD, a service principal is automatically created to register the application. The core service is the application identity in your Azure AD tenant. Access to resources is limited by the roles assigned to the service principal, which gives you control over what resources you have access to and at what level. For security reasons, it's always recommended to use service principals with automated tools instead of allowing them to connect to the user's identity.
In this article, you'll create a single tenant application in the Azure portal. This example is for business applications used within one organization. You can toouse Azure PowerShelltheAzure CLIcreate a main service.
Great
Instead of creating a service principal, consider using managed identities for Azure resources to identify your application. If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are the best choice for you. To learn more about managed identities for Azure resources, including the services that currently support them, seeWhat are managed identities for Azure resources?.
For more information on the relationship between application registration, application objects, and service commands, read belowMain application and service objects in Azure Active Directory.
Prerequisites
To register an application in your Azure AD tenant, you must:
- An Azure AD user account. If you don't already have it, you canopen an account for free.
Necessary permissions to register the application
You must have sufficient permissions to register the application in your Azure AD tenant and assign the application a role in your Azure subscription. To complete these tasks, you mustApplication.ReadWrite.Allpermission.
Register the application with Azure AD and create a service principal
Subscribe toBrama Azurni.
Search and selectAzure Active Directory.
to chooseApp registrations, then selectNew entrance.
Name the app, for example "sample-app".
Select a supported account type that determines who can use the app.
BelowRedirect URI, To choosenetfor the type of app you want to create. Enter the URI to which the access token is sent.
to chooseRegister.
Created an Azure AD application and service principal.
Assign a role to the app
To access subscription resources, you must assign a role to the app. Decide which role offers the appropriate permissions for the app. To learn more about available roles, seeAzure built-in roles.
The scope can be set at the subscription, resource group, or resource level. Rights are inherited at lower levels of the scope.
Subscribe toBrama Azurni.
Select the scope level you want to assign the app to. For example, to assign a role to a membership scope, search and selectSubscriptions. If you don't see the subscription you're looking for, select ituniversal subscription filter. Make sure the right subscription is selected for your tenant.
to chooseAccess Control (IAM).
to chooseTo add, then selectAdd role assignment.
uroleselect the role you want to assign to the application from the list. For example, to allow the app to perform actions such as restarting, starting, and stopping instances, selectColleaguerole.
To chooseNEXT.
Alreadymembersear. To chooseGranting access, then selectUser, group or service manager
to chooseSelect members. By default, Azure AD applications do not appear in the available options. To find your app, search for it by name.
To chooseto choosebutton, then selectReview + work.
(Video) Register an app on Microsoft Azure AD and get Client ID, Tenant Id and the Client Secret
Your main server is set up. You can start using it to run scripts or apps. To manage your main property (permissions, user permissions, seeing which users have consented, viewing permissions, viewing login details, and more), go tocorporate applications.
The following section shows how to obtain the values required during programmatic linking.
Log in to the application
For programmatic linking, pass the Tenant ID and App ID in the authentication request. You also need a certificate or key for authentication. To get the directory (tenant) ID and application ID:
- Ask for a choiceAzure Active Directory.
- ZApp registrationsin Azure AD, select your application.
- On the App Overview page, copy the directory (tenant) ID value and save it in your app code.
- Copy the value of the application (client) ID and save it in the application code.
Authentication setup
There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication.We recommend using a trusted certificate issued by an authorized certification authority, but you can also generate an app secret or generate a self-signed certificate for testing purposes.
Option 1 (recommended): Upload a trusted certificate issued by a CA
To upload a certificate file:
- Search and selectAzure Active Directory.
- ZApp registrationsin Azure AD, select your application.
- to chooseCertificates and secrets.
- to chooseCertificates, then selectUpload certificateand then select the certificate file to upload.
- to chooseTo add. After the certificate is loaded, the values for the thumbprint, start date, and expiration date are displayed.
After registering the certificate with the application in the application registration portal, activateconfidential client applicationcertificate user code.
Option 2: Just test - generate and upload a self-signed certificate
Optionally, you can generate a self-signed certificate forfor testing purposes only. To generate a self-signed certificate, open Windows PowerShell and run itA new self-signed certificatewith the following parameters to generate a certificate in your computer's user certificate store:
$cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec SignatureExport this certificate to a file withUser certificate managementThe MMC snap-in is available in the Windows Control Panel.
- to chooseJoggingzPrinciplemenu, then entercertmgr.msc. The Certificate Manager for the current user will be displayed.
- To view your certificates, subCertificates - current userexpand in the left panePersonallyIndex.
- Right click on the created certificate, selectAll tasks->Export.
- Follow the instructions of the certificate export wizard.
To transfer a certificate:
- Search and selectAzure Active Directory.
- ZApp registrationsin Azure AD, select your application.
- to chooseCertificates and secrets.
- to chooseCertificates, then selectUpload certificateand then select a certificate (an existing certificate or an exported self-signed certificate).
- to chooseTo add.
After registering the certificate with the application in the application registration portal, activateconfidential client applicationcertificate user code.
Option 3: Create a new application secret
If you choose not to use a certificate, you can create a new application secret.
- Search and selectAzure Active Directory.
- to chooseApp registrationsand select your app from the list.
- to chooseCertificates and secrets.
- to chooseCustomer secretsthen SelectNew client's secret.
- Describe the mystery and duration.
- to chooseTo add.
After the client secret is saved, the value of the client secret is displayed. Copy this value as you won't be able to retrieve the key later. You'll provide a key value with your app ID to log in as an app. Store the key value where the application can retrieve it.
Configure resource access policies
You may need to configure additional permissions for resources your app needs to access. For example, you must tooupdate the keystore access policyto give your app access to keys, secrets or certificates.
To configure access rules:
Subscribe toBrama Azurni.
Select a key vault and selectAccess Policy.
to chooseAdd an access policy, then select the key, secret, and certificate permissions you want to assign to your app. Select the main service you created earlier.
to chooseTo addto add an access policy.
(Video) Microsoft Entra Deep Dive: Azure Active Directory - ApplicationsRescue.
Next steps
- Learn to useAzure PowerShelltheAzure CLIcreate a main service.
- To learn more about configuring security rules, seeAzure role-based access control (Azure RBAC).
- For a list of available actions that can approve or reject users, seeAzure Resource Manager resource provider features.
- For information on working with app registrations usingMicrosoft Chart, I seeAppsReporting API.
FAQs
How do I create an Azure service principal in Azure portal? ›
- Navigate to the Azure portal.
- Select Azure Active Directory from the left-hand side menu.
- Select App registrations and + New registration.
- Enter a name for the application (the service principal name).
- Select Accounts in this organizational directory only.
- Then select Register.
Go to the Azure portal and sign in using one of the roles listed in the prerequisites. Browse to Azure Active Directory and select Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant. In the Enterprise applications pane, select New application.
How do I create an application access policy in Azure portal? ›Sign in to the Azure portal. From Azure Active Directory, select App registrations and click New registration. In the resulting pane, enter the name of the application (for example, MATLAB Production Server App ) then select Register. In the application that you registered, select Expose an API.
Where are service principals in Azure portal? ›View the service principal
Select Azure Active Directory and then select Enterprise applications. Under Application Type, choose All Applications and then select Apply. In the search filter box, type the name of the Azure resource that has managed identities enabled or choose it from the list.
Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
How do I create an API app in Azure portal? ›- Navigate to your API Management service in the Azure portal and select APIs from the menu.
- From the left menu, select + Add API.
- Select HTTP from the list.
- Select Create.
- Log in to the Azure portal.
- Click Create a resource > Compute, and then scroll down to and click Cloud Service.
- In the new Cloud Service pane, enter a value for the DNS name.
- Create a new Resource Group or select an existing one.
- Select a Location.
- Click Package.
To sign in with a service principal, use the ServicePrincipal parameter of the Connect-AzAccount cmdlet. You'll also need the service principal's application ID, sign-in credentials, and the tenant ID associate with the service principal.
What Azure role is needed to create enterprise application? ›What Azure AD Role is required to create an Enterprise Application? To create an Azure AD Enterprise Application, you must have the Application Administrator role or Cloud Application Administrator role if you do not have the Global Administrator role.
What is enterprise application in Azure Active Directory? ›Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.
What is the difference between enterprise application and app registration? ›
In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.
How do I add service principal to Azure AD group? ›To add the service principal, navigate to your Azure AD group. Under Manage, select Members > Add members. Search for your service principal in the search box and Select. Verify that the service principal is added to your Azure AD group.
What is the difference between application and service principal? ›Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
What role is required to create service principal in Azure? ›If you are the admin of your Azure Active Directory, you can grant the user Application administrator role. Then the user will be able to create service principals.
How do I create a SPN? ›SPNs are registered for built-in accounts automatically. However, when you run a service under a domain user account, you must manually register the SPN for the account you want to use. To create an SPN, you can use the SetSPN command line utility.
What is service principal in Azure portal? ›An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a tenant or directory. It's the identity of the application instance. Service principals define application access and resources the application accesses.
What are the three kinds of App Service in Azure? ›- Web Apps.
- API Apps.
- Logic Apps.
- Function Apps.
The Azure AD application you create has an identity called the service principal, which keeps track of what permissions the application has across all Azure resources.
Does Azure portal have an API? ›Azure Resource Manager provider (and classic deployment model) APIs use https://management.core.windows.net/ . For any other resources, see the API documentation or the resource application's configuration in the Azure portal.
What is the difference between Web API and app API? ›An API (Application programming interface) acts as an interface between two applications helping them to communicate with each other. A Web service manages the interaction between two machines over a network. It is a method by which third-party vendors can write programs that interface easily with the other programs.
How do I Create an Azure portal server? ›
- Sign in to Azure. Sign in to the Azure portal at https://portal.azure.com.
- Create virtual machine. Enter virtual machines in the search. ...
- Connect to virtual machine. ...
- Install web server. ...
- View the IIS welcome page. ...
- Clean up resources. ...
- Next steps.
- Right-click the project in Solution Explorer and select Publish. ...
- In the Publish dialog, select Azure > Next.
- Select the Azure service.
- Select Advanced. ...
- Select a Resource group and Hosting plan, or create new ones.
- Select Finish.
- In the Publish page:
- Sign in as an administrator in the Azure classic portal.
- Go to Active Directory and select the directory in which you want to enable Application Proxy.
- Click Configure, scroll down to Application Proxy and toggle Enable Application Proxy Services for this Directory to Enabled.
- In the Azure portal, on the left navigation pane, click Azure Active Directory.
- Register an application with Azure AD and create a service principal. Note the Client ID.
- Select authentication type. There are two types of authentication available for service principals: Client secret.
- Log in to the Azure portal.
- Click. Azure Active Directory. .
- In the. Manage. section, click. ...
- Click. New registration. ...
- On the. Register an application. ...
- In the Manage section, click. Certificates & secrets. ...
- Click. New client secret. ...
- In the. Add a client secret.
Access Azure Active Directory
Go to portal.azure.com and sign in with your work or student account. In the left navigation pane in the Azure portal, click Azure Active Directory.
- Unlimited single sign-on.
- User provisioning.
- Federated Authentication (Active Directory Federation Services or third-party identity provider)
- Users and group management.
- Device registration.
- Cloud authentication (Pass-Through Authentication, Password Hash synchronization, Seamless SSO)
Enablement of application as Saas is feature needed to make enterprise application migrate to private cloud.
What is the example of enterprise application? ›Examples of enterprise application systems include CRM, ERP, accounting, project management tools, SCM, and HRM systems.
What are the three types of enterprise application? ›Major types of enterprise software. Currently, there are distinguished three main types of enterprise systems: customer relationships management (CRM), enterprise resource planning (ERP), and supply chain management (SCM).
What are the four types of enterprise applications? ›
- Enterprise systems.
- Supply chain management systems.
- Customer relationship management systems.
- Knowledge management systems.
Enterprise Resource Planning (ERP) Customer Relationship Management (CRM) Decision Support System (DSS) Knowledge Management Systems (KMS)
What is the purpose of enterprise application? ›Enterprise applications are designed to integrate computer systems that run all phases of an enterprise's operations to facilitate cooperation and coordination of work across the enterprise.
What is a service principal in Azure portal? ›An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
What is the command to create Azure service principal? ›Create a service principal. Create an Azure service principal with the az ad sp create-for-rbac command. The appId and tenant keys appear in the output of az ad sp create-for-rbac and are used in service principal authentication. Record their values, but they can be retrieved at any point with az ad sp list.
What are Azure AD server principals? ›Azure AD server principals (logins) enable you to create logins from Azure AD users, groups, or applications. This means that you can authenticate with your SQL Managed Instance by using the Azure AD server login rather than a contained database user. For more information, see SQL Managed Instance overview.
How do I create a service principal name in Active Directory? ›- On the Domain Controller machine, start Active Directory Users and Computers.
- Select View > Advanced.
- Under Computers, locate one of the Network Controller machine accounts, and then right-click and select Properties.
- Select the Security tab and click Advanced.
- Select Create a resource > Web + Mobile > Web App.
- Select a subscription.
- Enter a name for a new resource group, or select Use existing and select one from the dropdown list.
- Enter a name for the app. ...
- For Publish, Runtime stack, and Operating System, make your selections as appropriate.
To manually create a service principal with the Azure CLI, use the az ad sp create-for-rbac command. The output is similar to the following example. Copy the values for appId and password . These values are used when you create an AKS cluster in the next section.
How do I manually set SPN? ›To register the SPN manually, you can use Setspn tool that is built into Windows. Setspn.exe is a command-line tool that enables you to read, modify, and delete the Service Principal Names (SPN) directory property.
What is an SPN example? ›
A Service Principal Name is a concept from Kerberos . It's an identifier for a particular service offered by a particular host within an authentication domain. The common form for SPNs is service class / fqdn @ REALM (e.g. IMAP/mail.example.com@EXAMPLE.COM ).
What is SPN and is used in Active Directory? ›A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name.
What is Azure AD application? ›Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
How do I assign a custom role to a service principal in Azure? ›Azure creates the custom role and redirects you to the Access control (IAM) page. In the Grant access to this resource section, click Add role assignment to assign the custom role to the service principal. The Add role assignment page appears. On the Role tab, search for the custom role you created.