Azure Service Principal

This is a step-by-step guide to creating an Azure service principal with the privileges necessary to enable Azure Microsoft Graph credential generation.

An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.

Creating a Service Principal for the DSV Base Secret

  1. Login to the Microsoft Azure portal.

  2. Go to Azure Active Directory.

  3. Click App registrations, then New registration. Enter an application name and then click Register.

  4. Take note of the Application (client) ID and Directory (tenant) ID. They are the DSV Base secret clientId and tenantId parameters, respectively.

  5. Select Certifications & secrets then New client secret. Enter a description and expiration date. Click Add.

  6. Take note of the newly generated secret which will be the clientSecret parameter in the DSV Base Secret.

  7. Select API permissions and then Add a permission.

  8. Under Microsoft Graph APIs, first select Delegated permissions on the left. Expand the Application drop-down and check the Application.Read.All and Application.ReadWrite.All boxes.

  9. Now, select Application permissions on the right. Expand both the Application and AppRoleAssignment drop-down, and then check the Application.Read.All, Application.ReadWrite.All, and Application.ReadWrite.OwnedBy boxes under Application and the AppRoleAssignment.ReadWrite.All box under AppRoleAssignment.

  10. Select Add permissions at the bottom of the page. This takes you back to the API Permissions page. Notice that the Application permissions have warnings that those permissions are not yet granted.

  11. Click Grant admin consent and then Yes (You will need administrative privileges to complete this step).

  12. The completed API permissions should look like this:

  13. Navigate to Home > Subscriptions and take note of the Subscription ID that you will be using. This is the subscriptionId in the DSV Base Secret.

Add appRole in Root Application or Any Application

In the Azure Dynamic Secrets section, we discuss DSV using an "existing service principal" vs DSV creating a "temporary service principal." This is guidance on creating an existing service principal in the Azure portal. In the case of the temporary service principal, no guidance in Azure is necessary because DSV will create them.

Any existing or new application can be used in place of the base service principal.

  1. Go to the Microsoft Azure portal and login.

  2. Go to Azure Active Directory.

  3. Click App registrations.

  4. Click on the new application that you created in the Service Principal Guide, or on a previously existing application.

  5. Click Create App Role to create a new one, or select an existing appRole.

  6. Take note of the ID. That is the DSV Dynamic Secret appRoleId parameter.

  7. Navigate to Active Directory > Enterprise applications.

  8. Select the application name that you configured in the above steps.

  9. Take note of the Object ID. This is the DSV Dynamic Secret resourceId parameter.