Azure serviceprincipal demystified

Posted byjdalberaPosted inAzureTags:, , , ,

Insights on Azure AD service principals ?

Insights and change tracking on Azure Active Directory Service Principals (Enterprise Applications and Applications): https://github.com/JulianHayward/AzAdServicePrincipalInsights

Azure application service principal resources:

https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

https://gcits.com/knowledge-base/automate-api-calls-microsoft-graph-using-powershell-azure-active-directory-applications/

https://gcits.com/knowledge-base/automate-creation-azure-ad-applications-access-microsoft-graph-customer-tenants/

The AzureAD PowerShell Module

If you don’t already have the AzureAD PowerShell module, you can install it by running Install-Module AzureAD -Force. Then run the following commands:

Connect-AzureAD -TenantId "YOUR_TENANT_ID"
$myApp = New-AzureADApplication -DisplayName "AzureAD Module App" -IdentifierUris "https://azureadmoduleapp"
$mySP = New-AzureADServicePrincipal -AppId $myApp.AppId

Obviously, the AzureAD module does not take care of creating the application object for you. You have to do that first and then create the SP. The commands above will get you a service principal, but without any type of credentials to login. If you want a password associated with the service principal, then you can run the following:

$spCredParameters = @{
  StartDate = [DateTime]::UtcNow
  EndDate = [DateTime]::UtcNow.AddYears(1)
  Value = 'MySuperAwesomePasswordIs3373'
  ObjectId = $mySP.ObjectID
}

New-AzureADServicePrincipalPasswordCredential @spCredParameters

Now you have a service principal that you can assign roles and permissions to.

https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadserviceprincipalpasswordcredential?view=azureadps-2.0

Retrieve the password credential of a service principal
PS C:\> $ServicePrincipalId = (Get-AzureADServicePrincipal -Top 1).ObjectId
PS C:\> Get-AzureADServicePrincipalPasswordCredential -ObjectId $ServicePrincipalId

https://www.locktar.nl/programming/powershell/connect-to-azuread-with-service-principal/

$ObjectIdOfApplicationToChange = “82bd7dd3-accf-4808-97ef-6bc6e27ade9b” 

$TenantId = “You tenant here”

$ApplicationId = “Your application id to login here”

$ServicePrincipalKey = ConvertTo-SecureString -String “Put a key of the application here” -AsPlainText -Force 

Write-Information “Login to AzureRM as SP: $ApplicationId”

$AzureADCred = New-Object System.Management.Automation.PSCredential($ApplicationId, $ServicePrincipalKey)

Add-AzureRmAccount -ServicePrincipal -Credential $AzureADCred -TenantId $TenantId # Get application with AzureRM because this will fill the tokencache for AzureAD as well (hidden feature)

Write-Information “Get application with AzureRM: $ObjectIdOfApplicationToChange”

Get-AzureRmADApplication -ObjectId $ObjectIdOfApplicationToChange $ctx = Get-AzureRmContext

$cache = $ctx.TokenCache$cacheItems = $cache.ReadItems() $token = ($cacheItems | where { $_.Resource -eq “https://graph.windows.net/” }) 

Write-Information “Login to AzureAD with same SP: $ApplicationId”

Connect-AzureAD -AadAccessToken $token.AccessToken -AccountId $ctx.Account.Id -TenantId $ctx.Tenant.Id 

Write-Information “Now get same application with AzureAD: $ObjectIdOfApplicationToChange”

Get-AzureADApplication -ObjectId $ObjectIdOfApplicationToChange

Published by jdalbera

IT Pro: 27 years experience for large companies - Technical manager and solution architect: Directory services and Identity Managemen expert, Azure AD, Office 365, Azure infrastructures, Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers deployments. Certifications: MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk

%d bloggers like this: