Learn about using a service principal to allow an application to authenticate using Azure Active Directory, followed by a demonstration.
- [Instructor] Applications can be configured to access or modify resources leveraging Azure Active Directory, and we do this using service principals. There are two main benefits to using service principals for our applications. First, we can use a certificate to automate authentication for unintended scripts. Second, we can restrict the permissions for that application, meaning we only provide the permissions that the application needs in order to run. Let's go ahead and pop into Azure, and take a look at how we configure this.
As you can see, I've already logged into Azure. Before getting started, you may want to first see if users are able to register applications. To do so, you're going to click in Azure Active Directory. This'll open up the Azure Active Directory blade. Then, under MANAGE, Users and groups. Then, under MANAGE, again, User settings. We are going to focus in on App registrations. As you can see, mine is currently set to Yes, and this is default.
This means any user can register an application. If you change it to No, you will need to be an administrator to register the applications in Azure Active Directory. In addition, at this subscription level, you will need either the owner or user access and min roles. If you've only been configured with a contributor role, it will not be enough to register applications in Azure Active Directory. I'm not going to make any changes here. We're good to go. I just wanted to point that out.
Going to go ahead, close that. Let's go ahead and create an Active Directory application. I am still in Active Directory. I'm going to go ahead and click on App registrations. You will notice that I have a couple of applications already here. I have a LinkedIn, a Facebook, and a test. We're going to go ahead and create a new one. To do so, click Add. We're going to provide a name. You're going to specify the application type, a Web app, or is it native. In our case, we're going to go ahead with a Web app, and we're going to go ahead and provide a sign-on URL.
I do not have an actual application. This is for demonstration purposes only. So I'm going to put in a fake URL. And then go ahead and click Create. It only takes a few moments for your application to be created. We're going to go ahead and click in MyCompanyApp. There are a couple pieces of information that we need to gather in order to login as our application. First, you're going to need to copy the Application ID.
I'm just going to go ahead and copy that into Notepad. Next, you'll have to click in Keys, and generate a key. Specify your duration. Mine will be for one year. And then I must click Save. A key value has now been populated for me. I need to copy this now. You'll notice the warning up at the top. You will not be able to retrieve this key value after you leave this blade.
Be sure to copy it; otherwise, you're going to have to go through the whole process again. I can go ahead and close this blade 'cause I have copied it and I've just pasted it into a Notepad that I have on another screen. Finally, I need to go ahead and grab the Directory ID. To do so, I'm going to close a few blades, and I'm back to Azure Active Directory. I'm going to go ahead and click in Properties. This is where I can pull off my Directory ID.
I'm going to go ahead and copy this. I'm going to paste that into my handy-dandy Notepad. Because I will need all these values to login as my application. Next, we are going to assign our application to a role. In this demo I'll be assigning the role from a resource group. I'm going to go ahead, close down the Azure Active Directory blade. Going to scroll up, into Resource groups. You'll notice that I have a couple resource groups already here.
We're going to focus in on SimpleVM. And then, next, we're going to go ahead and click on Access control. This is where I can go ahead and assign that Azure application to this resource group. You will notice that we already have Subscription admins, and we also have user test. I'm now going to go ahead and assign our application to this resource group. To do so, click Add, select the role. Think I'm going to make it a reader.
You'll notice, if I scroll through this list, we do not see MyCompanyApp. It is not here. For an application, you'll have to search. I'm going to go ahead and select it, and then click OK. Now MyCompanyApp has been assigned the reader role in our resource group. Now let's go ahead and login as this application. To do so, I'm going to go ahead and launch PowerShell ISE.
Click the Windows key, start typing ISE. I'm going to run it as administrator; therefore I'm going to right-click, and then Run as administrator. If you happen to receive a dialog box, asking: "Are you really sure you want to run as administrator?", go ahead and click Yes. Now we can go ahead and login as that user. The first thing I need to do is actually login to Azure itself. Here's my Login-AzureRmAccount.
I'm going to go ahead and provide my credentials. First, I can see I've logged in, and I am not in the right subscription; therefore, I'm going to have to change into the appropriate subscription. To do so, I'll need to pull off my subscription ID. I am using the command get-azurermsubscription. A list of all my subscriptions will be listed. I'm going to go ahead and copy the subscription ID for my pay-as-you-go service.
I'm going to go ahead and use the Select command to pop it into that subscription. Again, this is one of the reasons why I love ISE, because there's no way I can remember all the commands. I'm going to do subscription ID. And you'll see now that I am in the correct subscription. We can now go ahead and continue to login as the application.
The first thing I need to do is pull off the credentials for that application. I'm going to save these to a variable. Going to go ahead and run that command. Your first thought here to put in a username and password would be your username and password. We actually want to put in the username and password of that application that we just created. You might be thinking to yourself: "Wait a minute, "we didn't put in a username and password." You're right, we didn't. This is why we copied off those values. In User name we're going to go ahead and paste in the application ID value, and the password was the key value.
Going to go ahead, paste that in, and then click OK. Our next command will pull our Azure subscription name, match it up with the tenant ID, and then we're going to save that in the variable tenant. So let's go ahead and create that. I need to provide the subscription name, or I could do the subscription ID. My case, I'll do the SubscriptionName just to be a little different. I do need quotes here. Then we must finish this off with the string of our tenant ID.
Going to go ahead and run that line. Perfect. Next, we're going to go ahead and add the application as an Azure account. To do so, we're going to start off with the Add-AzureRmAccount because we are resource manager. Next, we need to add in our credential. Again, we saved that as a variable. Now we're going to specify the ServicePrincipal and TenantId.
Again, I'm using the tenant variable that we already created. Going to go ahead, run that. That's it. That application is now an account within Azure Active Directory. This'll be a little bit of a pain to do every time you need to have that application authenticate to Azure Active Directory. What you can do is you can actually save this profile. To do so, we are going to use the command Save-AzureRmProfile. You're going to provide a path. My path is quite long, so I'm just going to go ahead and copy and paste it.
We'll be saving this as a JSON file in the Exercise Files, CH02_01. Now let's go ahead and open up that JSON file. Here is our file. This'll open up Visual Studio for us. And, as you can see, the details about our application are provided to us. Our tenant ID is available. Our subscription is available. All of our endpoints are available to us, as well.
As an IT admin, we may be looking at this, going: "Oh, I'm not too sure." But your developers will be looking at this, going: "Oh, I get it." What they'll do is they'll take all of this code, embed it into the application itself so now that application can always authenticate to Azure Active Directory.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles