Create an Azure AD app and service principal in the portal

Article
01/20/2023
8 minutes to read

This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that need to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

This article shows you how to use the portal to create the service principal in the Azure portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization. You can also use Azure PowerShell or the Azure CLI to create a service principal.

Important

Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.

App registration, app objects, and service principals

There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. For more information on the relationship between app registration, application objects, and service principals, read Application and service principal objects in Azure Active Directory.

Permissions required for registering an app

You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.

Check Azure AD permissions

Select Azure Active Directory.
Find your role under Overview->My feed. If you have the User role, you must make sure that non-administrators can register applications.
In the left pane, select Users and then User settings.
Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

If the app registrations setting is set to No, only users with an administrator role may register these types of applications. See Azure AD built-in roles to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.

Check Azure subscription permissions

In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign a role to an AD app. This action is granted through the Owner role or User Access Administrator role. If your account is assigned the Contributor role, you don't have adequate permission. You will receive an error when attempting to assign the service principal a role.

To check your subscription permissions:

Search for and select Subscriptions, or select Subscriptions on the Home page.
Select the subscription you want to create the service principal in.
See Also
How to get Azure API credentials - Client ID, Client Secret, Tenant ID and Subscription ID Configure Azure services - Configuration Manager
If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.
Select My permissions. Then, select Click here to view complete access details for this subscription.
Select Role assignments to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.

Register an application with Azure AD and create a service principal

Let's jump straight into creating the identity. If you run into a problem, check the required permissions to make sure your account can create the identity.

Sign in to your Azure Account through the Azure portal.
Select Azure Active Directory.
Select App registrations.
Select New registration.
Name the application, for example "example-app". Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a Native application. You can't use that type for an automated application. After setting the values, select Register.

You've created your Azure AD application and service principal.

Note

You can register multiple applications with the same name in Azure AD, but the applications must have different Application (client) IDs.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application. Decide which role offers the right permissions for the application. To learn about the available roles, see Azure built-in roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

In the Azure portal, select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select Subscriptions, or select Subscriptions on the Home page.
Select the particular subscription to assign the application to.
If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
In the Role tab, select the role you wish to assign to the application in the list. For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role. Read more about the available roles.
Select the Next button to move to the Members tab. Select Assign access to-> User, group, or service principal and then select Select members. By default, Azure AD applications aren't displayed in the available options. To find your application, search by name (for example, "example-app") and select it from the returned list. Click the Select button. Then click the Review + assign button.

Your service principal is set up. You can start using it to run your scripts or apps. To manage your service principal (permissions, user consented permissions, see which users have consented, review permissions, see sign in information, and more), go to Enterprise applications.

The next section shows how to get values that are needed when signing in programmatically.

Get tenant and app ID values for signing in

When programmatically signing in, pass the tenant ID with your authentication request and the application ID. You also need a certificate or an authentication key (described in the following section). To get those values, use the following steps:

Select Azure Active Directory.
From App registrations in Azure AD, select your application.
Copy the Directory (tenant) ID and store it in your application code.
The directory (tenant) ID can also be found in the default directory overview page.
Copy the Application ID and store it in your application code.

Authentication: Two options

There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication. We recommend using a certificate, but you can also create an application secret.

Option 1: Upload a certificate

You can use an existing certificate if you have one. Optionally, you can create a self-signed certificate for testing purposes only. To create a self-signed certificate, open PowerShell and run New-SelfSignedCertificate with the following parameters to create the cert in the user certificate store on your computer:

$cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature

Export this certificate to a file using the Manage User Certificate MMC snap-in accessible from the Windows Control Panel.

Select Run from the Start menu, and then enter certmgr.msc.
The Certificate Manager tool for the current user appears.
To view your certificates, under Certificates - Current User in the left pane, expand the Personal directory.
Right-click on the cert you created, select All tasks->Export.
Follow the Certificate Export wizard. Do not export the private key, and export to a .CER file.

To upload the certificate:

Select Azure Active Directory.
From App registrations in Azure AD, select your application.
Select Certificates & secrets.
Select Certificates > Upload certificate and select the certificate (an existing certificate or the self-signed certificate you exported).
Select Add.

After registering the certificate with your application in the application registration portal, enable the client application code to use the certificate.

Option 2: Create a new application secret

If you choose not to use a certificate, you can create a new application secret.

Select Azure Active Directory.
From App registrations in Azure AD, select your application.
Select Certificates & secrets.
Select Client secrets -> New client secret.
Provide a description of the secret, and a duration. When done, select Add.
After saving the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You will provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.

Configure access policies on resources

Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also update a key vault's access policies to give your application access to keys, secrets, or certificates.

In the Azure portal, navigate to your key vault and select Access policies.
Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
Select Add to add the access policy, then Save to commit your changes.

Next steps

Learn how to use Azure PowerShell or Azure CLI to create a service principal.
To learn about specifying security policies, see Azure role-based access control (Azure RBAC).
For a list of available actions that can be granted or denied to users, see Azure Resource Manager Resource Provider operations.
For information about working with app registrations by using Microsoft Graph, see the Applications API reference.

Create an Azure AD app and service principal in the portal - Microsoft Entra (2024)