{"id":554,"date":"2025-06-03T16:37:33","date_gmt":"2025-06-03T16:37:33","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=554"},"modified":"2025-06-03T16:37:33","modified_gmt":"2025-06-03T16:37:33","slug":"authenticate-azure-cli","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=554","title":{"rendered":"Authenticate Azure CLI Using Service Principal (Tutorial)"},"content":{"rendered":"

In this tutorial, you’ll learn how to authenticate with Azure using a service principal (one of the common authentication methods).<\/p>\n

By default, the Azure CLI<\/a> uses an interactive login method. <\/p>\n

When you run az login<\/code> in the CLI, it opens an interactive web page where you enter your email and password to sign in. While this approach is simple and straightforward, it’s not ideal for CI\/CD workflows<\/a> or secure automation.<\/p>\n

For better security and automation, it’s recommended to use alternative methods like Azure App registration with a client secret or a certificate. These options offer more control and are better suited for non-interactive, secure environments.<\/p>\n

Setup the Azure App Registration and Service Principal<\/h2>\n

The steps below will guide you through creating an app registration on the Azure Entra ID and configuring the service principal to access the services.<\/p>\n

Step 1: Create an Azure App Registration<\/h3>\n

Open Microsoft Entra ID from the main console dashboard.<\/p>\n

Azure Entra ID is the identity and access management service of the Azure cloud.<\/p>\n

\"selecting<\/figure>\n

The Entra ID dashboard displays all IAM and Azure-related services. From the left-hand panel, select App Registrations<\/strong>.<\/p>\n

Azure App Registration is essentially the process of assigning an identity to your application. <\/p>\n

For instance, if your app needs to interact with specific Azure services, it first needs a recognizable identity in Azure. This allows Azure to authenticate and authorize the app properly.<\/p>\n

During the registration process, Azure generates a unique Application (client) ID, which is a key component used for authentication and access control.<\/p>\n

\"creating<\/figure>\n

Give a name for the App Registration and select the account type from the list of supported account types.<\/p>\n

Account types will define who is allowed to access your application. <\/p>\n

\"filing<\/figure>\n

I have chosen the Single tenant<\/code> type because I want the application to be used only by users in the specific Entra ID tenant.<\/p>\n

Once the registration is completed, you can see the Application (client) ID<\/code> and the Directory (tenant) ID<\/code>.<\/p>\n

Note them down for the upcoming configuration. <\/p>\n

\"getting<\/figure>\n

Next, we need to create client credentials for secure authentication.<\/p>\n

Note: When you create the App Registration, a Service Principal also be associated with that, you can verify on the Enterprise application<\/code> section or if you already have CLI access, you can use the following comand `az ad sp list –display-name <APP_REGISTRATION_NAME><\/p><\/blockquote>\n

Step 2: Create Client Credentials <\/h3>\n

Client credentials are required to authenticate App Registration and Microsoft Entra ID.<\/p>\n

Azure supports various credential options for App Registration, such as certificates, secret tokens, and federated credentials.<\/p>\n

\"adding<\/figure>\n

For this, I am choosing the Client secret<\/code> option.<\/p>\n

\"selecting<\/figure>\n

Note: Certificates<\/code> is the more secure method than the Secrets<\/code> but you need to locally generate the certificates and import them for the configuration.<\/p><\/blockquote>\n

On the next page, you need to give a description of the secret and the expiration date for the secret token. <\/p>\n

\"giving<\/figure>\n

Once the client secret is created, you can see that in the Certificates & secrets<\/code> dashboard.<\/p>\n

Note down the secret value for the authentication, first time only you can see the secret value so save it somewhere safe.<\/p>\n

\"copying<\/figure>\n

Step 3: Add Permission to the App Registration <\/h3>\n

We need to assing a role with required permission to the Service Principal associated with the App Registration on the specific Azure subscription.<\/p>\n

Navigate to the Azure subscription console.<\/p>\n

\"selecting<\/figure>\n

Select the specific subscription if you have multiple subscriptions.<\/p>\n

\"selecting<\/figure>\n

Open the Access control (IAM)<\/code> from the left side navigation panel.<\/p>\n

Click the + Add<\/code> button at the top of the pane, and from the dropdown menu, select the Add role assignment<\/code>.<\/p>\n

\"adding<\/figure>\n

On the next page, under the Role<\/code> tab, we can see the list of job function roles and privileged administrative roles.<\/p>\n

From the Privileged administratior roles<\/code> , selecting the Contributor<\/code> role and click next<\/code><\/p>\n

\"selecting<\/figure>\n

On the next page, we need to decide whom should we need to assign this role. (user, group, or service principal)<\/p>\n

In our case, it is the Service Principal.<\/p>\n

When we create a single tenant App Registration, the Service Principal will also be created and the name will be the same as the App Registration.<\/p>\n

On the Members<\/code> section, click + Select members<\/code> <\/p>\n

On the search menu, search with the App Registration name, and the search result will display the Service Principal associated with the App Registration. <\/p>\n

\"selecting<\/figure>\n

In the final stage which is Review + assign<\/code>, you can see the Role, Scope, and the Service Principal.<\/p>\n

Once the review is completed, click the assign button.<\/p>\n

\"assigining<\/figure>\n

Now, we have successfully assigned the Contributor<\/code> role to the Service Principal associated with the App Registration.<\/p>\n

Step 4: Authenticate Azure CLI with the Service Principal<\/h3>\n

Install the Azure CLI on the local workstation.<\/p>\n

Refer to the official documentation<\/a> for the installation instructions.<\/p>\n

Once the installation is complete, use the following command to authenticate the Azure CLI with the Service Principal, so that we can access Azure resources from the local workstation.<\/p>\n

az login --service-principal -u <Application (client) ID> -p <Client Secret Value> --tenant <Directory (tenant) ID><\/code><\/pre>\n
\"logging<\/figure>\n
Conclusion<\/h2>\n
To sum up, this blog walked through creating an Azure App Registration, setting up client credentials (Secret instead of email ID and password), and assigning a role to the Service Principal for CLI access.<\/p>\n
With this setup, we’ve enabled a non-interactive login method that’s perfect for automation tasks like scripting and CI\/CD. <\/p>\n
This means we can now create and manage Azure resources seamlessly, without ever needing to use the portal.<\/p>\n
If you face any errors or need any clarification, do drop a comment! We will be happy to share our insights.<\/p>\n
\n
Ngu\u1ed3n:<\/strong> Authenticate Azure CLI Using Service Principal (Tutorial) \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Source: https:\/\/devopscube.com\/authenticate-azure-cli\/<\/p>\n","protected":false},"author":1,"featured_media":555,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-554","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=554"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/554\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/555"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}