Monday, January 13, 2025
HomePowershellMethods to Create Azure Service Principal with Certificates (PowerShell)

Methods to Create Azure Service Principal with Certificates (PowerShell)


When working with Azure, authenticating service principals securely is important. Whereas consumer secrets and techniques are generally used, certificates supply a safer choice. On this information, we are going to stroll via methods to create and use a self-signed certificates to authenticate a service principal in Azure.

Step 1: Switching to the Admin Account

Earlier than starting, make sure you’re logged in with the suitable admin credentials:

Disconnect-AzAccount
Join-AzAccount

This ensures you’re working as a worldwide admin in Entra ID.

Step 2: Making a Self-Signed Certificates

Subsequent, as an alternative of utilizing a consumer secret, we’ll create a self-signed certificates. In PowerShell, use the `New-SelfSignedCertificate` command to generate it:

$cert = New-SelfSignedCertificate -DnsName AzureVMManagement -CertStoreLocation cert:CurrentUserMy

This command creates a certificates named `AzureVMManagement` and shops it within the consumer’s certificates retailer.

Step 3: Exporting the Personal Key

To hyperlink the certificates to the Azure software, it’s good to export the personal key:

$secPassword = ConvertTo-SecureString -String "P@ss0word!" -Pressure -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:VMManagementAppPrivateKey.pfx -Password $secPassword

Right here, the personal secret’s protected with a password and exported to a `.pfx` file.

Step 4: Importing the Certificates

Now that the certificates is exported, it must be imported again as a base-64 encoded binary array for Azure:

$PfxCertificate = Get-PfxCertificate -FilePath C:VMManagementAppPrivateKey.pfx -Password $secPassword
$keyValue = [System.Convert]::ToBase64String($PfxCertificate.GetRawCertData())

This converts the certificates information right into a format appropriate for Azure’s necessities.

Step 5: Including the Certificates to the Utility

Discover your software by title and add the certificates:

$app = Get-AzADApplication -DisplayName VMManagement
New-AzADAppCredential -ApplicationId $app.AppId -CertValue $keyValue -StartDate $PfxCertificate.NotBefore -EndDate $PfxCertificate.NotAfter

This command attaches the base-64 certificates to the Azure software with legitimate begin and finish dates.

Step 6: Eradicating Outdated Certificates

If there are outdated certificates on the appliance, clear them up:

$oldCerts = (Get-AzADApplication -DisplayName VMManagement).KeyCredentials | kind enddatetime | choose -SkipLast 1
$oldCerts | foreach { remove-AzADAppCredential -ApplicationId $app.AppId -KeyId $_.KeyId }

This removes all however the newest certificates, making certain solely the lively one stays.

Step 7: Authenticating with the New Certificates

Lastly, check authentication utilizing the newly created certificates:

Join-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId

If the whole lot is ready up appropriately, this may let you authenticate to Azure utilizing the service principal and the brand new certificates.

Step 8: Testing Permissions

Check if the service principal’s permissions are intact:

You must have the ability to handle VMs. For additional testing, strive a disallowed motion:

This needs to be blocked if the permissions are appropriately set.

Step 9: Eradicating the Certificates

To see what occurs if the certificates is eliminated:

$cert | Take away-Merchandise
Join-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId

With out the certificates, the authentication will fail, as Azure requires the certificates to ascertain belief.

At all times guarantee certificates are saved safely to stop any authentication points.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments