Authenticate AZURE

Permissions required for registering an app

You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.

Check Azure AD permissions

  1. Select Azure Active Directory.

  2. Note your role. If you have the User role, you must make sure that non-administrators can register applications.

    Find your role. If you're a User, ensure non-admins can register apps

  3. In the left pane, select User settings.

  4. Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

Check Azure subscription permissions

To check your subscription permissions:

  1. Search for and select Subscriptions, or select Subscriptions on the Home page.

    Search

  2. Select the subscription you want to create the service principal in.

    Select subscription for assignment

    If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.

  3. Select My permissions. Then, select Click here to view complete access details for this subscription.

    Select the subscription you want to create the service principal in

  4. Select View in Role assignments to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.

    This example shows the user is assigned the Owner role

Register an application with Azure AD and create a service principal

  1. Sign in to your Azure Account through the Azure portal.

  2. Select Azure Active Directory.

  3. Select App registrations.

  4. Select New registration.

  5. Name the application. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a Native application. You can't use that type for an automated application. After setting the values, select Register.

    Type a name for your application

You've created your Azure AD application and service principal.

Note

You can register multiple applications with the same name in Azure AD, but the applications must have different Application (client) IDs.

Assign a role to the application

  1. In the Azure portal, select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select Subscriptions, or select Subscriptions on the Home page.

    For example, assign a role at the subscription scope

  2. Select the particular subscription to assign the application to.

    Select subscription for assignment

    If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.

  3. Select Access control (IAM).

  4. Select Add role assignment.

  5. Select the role you wish to assign to the application. For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role. Read more about the available roles By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.

    Select the role to assign to the application

  6. Select Save to finish assigning the role. You see your application in the list of users with a role for that scope.

Your service principal is set up. You can start using it to run your scripts or apps. To manage your service principal (permissions, user consented permissions, see which users have consented, review permissions, see sign in information, and more), go to Enterprise applications.

The next section shows how to get values that are needed when signing in programmatically.

Get tenant and app ID values for signing in

When programmatically signing in, pass the tenant ID with your authentication request and the application ID. You also need a certificate or an authentication key (described in the following section). To get those values, use the following steps:

  1. Select Azure Active Directory.

  2. From App registrations in Azure AD, select your application.

  3. Copy the Directory (tenant) ID and store it in your application code.

    Copy the directory (tenant ID) and store it in your app code

    The directory (tenant) ID can also be found in the default directory overview page.

  4. Copy the Application ID and store it in your application code.

    Copy the application (client) ID