Azure

In Azure, a Service Principal is like a user identity with a specific role and permissions, but it's used by applications, scripts, or services to access Azure resources. This document will run through creating a Service Principal with a secret. The secret is a password or key that your application will use to authenticate itself when accessing Azure services.

Service Principals provide a secure and manageable way for your applications to access Azure resources. Instead of using your personal Azure account, you can create a specific identity for your application, reducing security risks and improving accountability.

As the creator of the service principal, you and your organisation retain full control over access to your environment; if access needs to be removed, you have the ability to remove access by the service principal.

Sign in to the Azure Portal

Sign in to the Azure portal using your Azure account and locate the Azure Active Directory (Azure AD) service where identity and authentication is managed in Azure.

In Azure Active Directory, select "App registrations" from the left-hand menu and click the "+ New registration" button. Enter the following details:

Once ready, click "Register" to create the application.

On the application's overview page, take note of and record the `Application (client) ID` to provide later.

A secret should be created to complete the credential set used to authenticate as that service principal. Navigate to "Manage" in the menu and select "Certificates & secrets". Under the "Client secrets" section, click on "+ New client secret" and provide the following details:

Once submitted, the client secret will be displayed; copy and save it securely. A good option is to use Azure Key vault. You won't be able to see it again.

Under development. In the meantime, consult your agency partner on how best to provide these details.

Grant service principal permissions

To allow your service principal to see cost details of your resources, you will need to grant it the appropriate level of access. This can be done at the Management group or Subscription levels, depending on your access. For the purposes of this guide, the granting the service principal access to the subscription will be specifically covered, but the process would be similar for the Management group.

Sign in to the Azure portal using your Azure account and locate the Subscriptions service where subscriptions are managed in Azure.

In Subscriptions, click on the name of the Subscription name that you want to enrol. Select Access control (IAM) in the left hand menu, then click Add to Add a role assignment.

Two roles need to be added for the service principal for each Subscription, to allow for sufficient access:

| Role | Description | |-|-| | Reader | To allow the service principal to see the resource and basic metadata about it such as tags | | Cost Management Reader | To allow the service principal to access the cost APIs in Azure |

To add each, click to highlight the role name when prompted to Add role assignment, then click Next. With Assign access to set to User, group, or service principal, click "+ Select members" to bring up the Select members side panel. Search for the name of the service principal you created above, and once found select it. Then click Next.

You will be presented with a Review screen with the information you have just provided. Confirm that it is correct, then click "Review + assign" to set the permission. Repeat for all roles you may need to add to this Subscription, and across all Subscriptions that need to be enrolled

Basic configuration (Azure)

Azure

Service Principals provide a secure and manageable way for your applications to access Azure resources. Instead of using your personal Azure account, you can create a specific identity for your application, reducing security risks and improving accountability.

As the creator of the service principal, you and your organisation retain full control over access to your environment; if access needs to be removed, you have the ability to remove access by the service principal.

Sign in to the Azure Portal

Sign in to the Azure portal using your Azure account and locate the Azure Active Directory (Azure AD) service where identity and authentication is managed in Azure.

In Azure Active Directory, select "App registrations" from the left-hand menu and click the "+ New registration" button. Enter the following details:

Once ready, click "Register" to create the application.

On the application's overview page, take note of and record the Application (client) ID to provide later.

A secret should be created to complete the credential set used to authenticate as that service principal. Navigate to "Manage" in the menu and select "Certificates & secrets". Under the "Client secrets" section, click on "+ New client secret" and provide the following details:

Once submitted, the client secret will be displayed; copy and save it securely. A good option is to use Azure Key vault. You won't be able to see it again.

Under development. In the meantime, consult your agency partner on how best to provide these details.

Grant service principal permissions

Sign in to the Azure portal using your Azure account and locate the Subscriptions service where subscriptions are managed in Azure.

In Subscriptions, click on the name of the Subscription name that you want to enrol. Select Access control (IAM) in the left hand menu, then click Add to Add a role assignment.

Two roles need to be added for the service principal for each Subscription, to allow for sufficient access:

| Role | Description | |-|-| | Reader | To allow the service principal to see the resource and basic metadata about it such as tags | | Cost Management Reader | To allow the service principal to access the cost APIs in Azure |

You will be presented with a Review screen with the information you have just provided. Confirm that it is correct, then click "Review + assign" to set the permission. Repeat for all roles you may need to add to this Subscription, and across all Subscriptions that need to be enrolled

On the application's overview page, take note of and record the `Application (client) ID` to provide later.