How to Create Service Principle

Creating Service Principal with a Role

Connect to AzureAD.

Connect-AzureAD

Create a new service principal and assign Contributor role to a subscription.

New-AzADServicePrincipal -DisplayName 'spforcli' -Role 'Contributor' -Scope '/subscriptions/d2ed813a-7356-11ea-bc55-0242ac130003'
Secret                : System.Security.SecureString
ServicePrincipalNames : {85c7e86a-735a-11ea-bc55-0242ac130003, http://spforcli}
ApplicationId         : 85c7e86a-735a-11ea-bc55-0242ac130003
ObjectType            : ServicePrincipal
DisplayName           : spforcli
Id                    : b6db9174-7358-11ea-bc55-0242ac130003
Type                  :

Display role assignment.

Get-AzRoleAssignment -ObjectId 'b6db9174-7358-11ea-bc55-0242ac130003'

or

 

Get-AzRoleAssignment -ServicePrincipalName 'http://spforcli'
RoleAssignmentId   : /subscriptions/d2ed813a-7356-11ea-bc55-0242ac130003/providers/Microsoft.Authorization/roleAssignments/a6b28cb6-7359-11ea-bc55-0242ac130003
Scope              : /subscriptions/d2ed813a-7356-11ea-bc55-0242ac130003
DisplayName        : spforcli
SignInName         :
RoleDefinitionName : Contributor
RoleDefinitionId   : adb9535a-7359-11ea-bc55-0242ac130003
ObjectId           : b6db9174-7358-11ea-bc55-0242ac130003
ObjectType         : ServicePrincipal
CanDelegate        : False

Assigning Additional Role

Assign additional permission.

New-AzRoleAssignment -ObjectId 'b6db9174-7358-11ea-bc55-0242ac130003' -RoleDefinitionName 'Contributor' -Scope '/subscriptions/c242b2f4-7358-11ea-bc55-0242ac130003'

Displaying and Changing Current Subscription

Get current subscription

Get-AzContext
Name                                     Account                                          SubscriptionName                                 Environment                                      TenantId
----                                     -------                                          ----------------                                 -----------                                      --------
subscription-001 (d2ed813a-7356-…        MSI@50342                                        subscription-001                          AzureCloud                                       24202dc0-735a-11ea-bc55-0242ac130003

List available subscriptions.

Get-AzSubscription
Name             Id                                   TenantId                             State
----             --                                   --------                             -----
subscription-002 c242b2f4-7358-11ea-bc55-0242ac130003 24202dc0-735a-11ea-bc55-0242ac130003 Enabled
subscription-001 d2ed813a-7356-11ea-bc55-0242ac130003 24202dc0-735a-11ea-bc55-0242ac130003 Enabled

Change subscription.

$context = Get-AzSubscription -SubscriptionId 'c242b2f4-7358-11ea-bc55-0242ac130003'
Set-AzContext $context

Deleting Service Principle

Delete service principal.

Remove-AzADServicePrincipal -ObjectId 'b6db9174-7358-11ea-bc55-0242ac130003'

Logging In CLI using Service Principal

Replace <secret> with your secret that set in the App Registration.

az login --service-principal -u 'http://spforcli' -p '<secret>' --tenant '24202dc0-735a-11ea-bc55-0242ac130003'

List available subscriptions.

az account list -o table
Name                     CloudName    SubscriptionId                        State    IsDefault
-----------------------  -----------  ------------------------------------  -------  -----------
subscription-002         AzureCloud   c242b2f4-7358-11ea-bc55-0242ac130003  Enabled  False
subscription-001         AzureCloud   d2ed813a-7356-11ea-bc55-0242ac130003  Enabled  True

References