New-SBAZServicePrincipal cmdlet to create new Azure AD Service Principal added to AZSBTools PowerShell module
For the use case of running PowerShell scripts that perform tasks on objects in an Azure subscription, we need to be able to run such scripts under a user context other than the script author which is what typically happens during script development. A Service Principal is an Azure AD user intended for this purpose. The New-SBAZServicePrincipal function automates and simplifies the process of creating an Azure Service principal.
The New-SBAZServicePrincipal function takes the following parameters
This parameter accepts one or more Service Principal names
This parameter accepts a value that represents which Azure cloud to create the SPN in. This parameter default to Azure Commercial cloud. As of 15 March 2018 that list is:
To see the current list, use: (Get-AzureRMEnvironment).Name
This parameter is used to assign Role/Permissions for the Service Principal in the current subscription.
The default value is ‘Owner’ role.
As of 16 March 2018 the following default roles are defined:
API Management Service Contributor
Application Insights Component Contributor
Classic Network Contributor
Classic Storage Account Contributor
Classic Storage Account Key Operator Service Role
Classic Virtual Machine Contributor
ClearDB MySQL DB Contributor
Cosmos DB Account Reader Role
Data Factory Contributor
Data Lake Analytics Developer
DevTest Labs User
DNS Zone Contributor
DocumentDB Account Contributor
Intelligent Systems Account Contributor
Log Analytics Contributor
Log Analytics Reader
New Relic APM Account Contributor
Redis Cache Contributor
Scheduler Job Collections Contributor
Search Service Contributor
SQL DB Contributor
SQL Security Manager
SQL Server Contributor
Storage Account Contributor
Storage Account Key Operator Service Role
Traffic Manager Contributor
User Access Administrator
Virtual Machine Contributor
Web Plan Contributor
For more details on roles, type in:
Get-AzureRmRoleDefinition | select name,description,actions | Out-GridView
The New-SBAZServicePrincipal function returns a PS Object for each input Service Principal Name containing the following properties:
The New-SBAZServicePrincipal function performs the following tasks for each provided Service Principal name:
- Create/Validate Azure AD App. The Azure AD App is required to create a Service Principal. It carries the same name and has an initial URL matching the same name as well
- Create/Validate Azure AD Service Principal. The user is prompted to enter the desired password for the SPN. The password is encrypted and saved in the user’s temp folder for use with future automations
- Assign the provided Role to the SPN for the current subscription. By default this is the ‘Owner’ role. This allows the created SPN to perform all tasks against the current subscription.
Registered Apps can be also viewed in the Azure portal under Azure Active Directory/App Registrations blade:
$SPList = New-SBAZServicePrincipal -ServicePrincipalName PowerShell01,samtest1
This example creates 2 Service Prinsipals; PowerShell01 and samtest1 in the default Azure Commercial cloud, and assigns them the default Owner Role in the current subscription.
The New-SBAZServicePrincipal function first pops the Azure login Window to identify which subscription to use:
This function has been tested with both Azure Commercial and Azure US GOV clouds.
Next enter the desired password for each of the 2 provided Service Principals:
The function saves the encrypted password to the user temp folder for future use/automation.
It also display console output similar to:
The Service Principals can be used now to run other PowerShell scripts
The newly registered/validated Apps can also be viewed from the Azure Portal
To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type
Install-Module POSH-SSH,SB-Tools,AZSBTools,AzureRM -Force
AZSBTools contains functions that depend on POSH-SSH, SB-Tools, and AzureRM modules, and they’re typically installed together.
To load the POSH-SSH, SB-Tools, AZSBTools, and AzureRM modules type:
Import-Module POSH-SSH,SB-Tools,AZSBTools,AzureRM -DisableNameChecking
To view a list of cmdlets/functions in SB-Tools, type
Get-Command -Module AZSBTools
To view the built-in help of one of the AZSBTools functions/cmdlets, type
help <function/cmdlet name> -show
help New-SBAZServicePrincipal -show