When an application needs access to deploy or configure resources through Azure Resource Manager in Azure Stack, you will create a service principal, which is an identity for your application. You can then delegate only the necessary permissions to that service principal.
LAB : Azure Stack – Provide applications access to Azure Stack
As an example, you may have a configuration management tool that uses Azure Resource Manager to inventory resources. In this scenario, you can create a service principal, grant the reader role to that service principal, and limit the configuration management tool to read-only access.
Service principals are preferable to running the app under your own credentials because:
- You can assign permissions to the service principal that are different than your own account permissions.
- Typically, these permissions are restricted to exactly what the app needs to do.
- You do not have to change the app’s credentials if your responsibilities change.
- You can use a certificate to automate authentication when executing an unattended script.
- Create service principal for ADFS
Task 1 : Create service principal for ADFS
In this section, we will use PowerShell to create a service principal.
- Run PowerShell as Administrator and navigate to the C:\AzureStack-Tools-master directory. Import the Identity PowerShell module by using the following commands:
- Create the service principal by executing the following command:
$servicePrincipal = New-ADGraphServicePrincipal `
-DisplayName “<YourServicePrincipalName>” `
-AdminCredential $(Get-Credential) `
You have created a service principal for your application.
Task 3 : Assign a role to service principal
To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.
You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.
- In the Azure Stack portal, navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select Subscriptions. You could instead select a resource group or resource.
- Select the particular subscription (resource group or resource) to assign the application to.
- Select Access Control (IAM).
- Select Add.
- Select the role you wish to assign to the application.
- Search for your application, and select it.
- Select OK to finish assigning the role. You see your application in the list of users assigned to a role for that scope.
Now that you’ve created a service principal and assigned a role, you can begin using this within your application to access Azure Stack resources.
Task 4 : Sign in through PowerShell
Once you’ve assigned a role, you can sign in to Azure Stack using the service principal with the following command:
Add-AzureRmAccount -EnvironmentName “<AzureStackEnvironmentName>”` -ServicePrincipal -CertificateThumbprint $servicePrincipal.Thumbprint`
-ApplicationId $servicePrincipal.ApplicationId -TenantId $directoryTenantId