Provide applications access to Azure Stack

When an application needs access to deploy or configure resources through Azure Resource Manager in Azure Stack, you will create a service principal, which is an identity for your application. You can then delegate only the necessary permissions to that service principal.

LAB : Azure Stack – Provide applications access to Azure Stack


As an example, you may have a configuration management tool that uses Azure Resource Manager to inventory​​ resources. In this scenario, you can create a service principal, grant the reader role to that service principal, and limit the configuration management tool to read-only access.

Service principals are preferable to running the app under your own credentials because:

  • You can assign permissions to the service principal that are different than your own account permissions.
  • Typically, these permissions are restricted to exactly what the app needs to do.
  • You do not have to change the app’s credentials if your​​ responsibilities change.
  • You can use a certificate to automate authentication when executing an unattended script.


  • Create service principal for ADFS

Task 1 : Create service principal for ADFS

In this section, we will use PowerShell to create a service principal.

  • Run PowerShell as Administrator and navigate to the​​ C:\AzureStack-Tools-master​​ directory. Import the​​ Identity​​ PowerShell module by using the following commands:

Set-ExecutionPolicy Unrestricted

Import-Module​​ .\Identity\AzureStack.Identity.psm1

  • Create the service principal by executing the following command:

$servicePrincipal = New-ADGraphServicePrincipal `

-DisplayName “<YourServicePrincipalName>” `

-AdminCredential $(Get-Credential) `


You have created a service principal for your application.

Task 3 : Assign a role to service principal

To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To​​ learn about the available roles, see​​ RBAC: Built in Roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

  • In the Azure Stack portal, navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select​​ Subscriptions. You could instead select a resource group or resource.
  • Select the particular subscription (resource group or resource) to assign the application​​ to.
  • Select​​ Access Control (IAM).
  • Select​​ Add.
  • Select the role you wish to assign to the application.
  • Search for your application, and select it.
  • Select​​ OK​​ to finish assigning the role. You see your application in the list of users assigned to a​​ role for that scope.

Now that you’ve created a service principal and assigned a role, you can begin using this within your application to access Azure Stack resources.

Task 4 : Sign in through PowerShell

Once you’ve assigned a role, you can sign in to​​ Azure Stack using the service principal with the following command:

Add-AzureRmAccount -EnvironmentName “<AzureStackEnvironmentName>”` -ServicePrincipal -CertificateThumbprint $servicePrincipal.Thumbprint`

-ApplicationId $servicePrincipal.ApplicationId​​ -TenantId $directoryTenantId