Creating a service principal

Hong Ooi

Authenticating with Azure Active Directory requires providing an app or service principal ID. If you don’t provide one, AzureRMR will authenticate using the Azure CLI cross-platform app. This is sufficient for most purposes, however if necessary you can create your own service principal to authenticate with. For example, if security is a concern, this lets you restrict the scope of the resources that AzureRMR that manipulate.

Creating a service principal is a one-time task, and the easiest method is to use the Azure cloud shell.

If you want to allow access at something other than subscription level, you can use the --scopes argument in place of --subscription. For example, to restrict AzureRMR to only the “AnalyticsRG” resource group: az ad sp create-for-rbac --scopes /subscriptions/{your-subscription-ID}/resourceGroups/AnalyticsRG.

Once you have created your own service principal, you can supply the app ID and password as arguments to create_azure_login. You’ll also have to supply your Azure Active Directory tenant, as AAD does not have access to your personal credentials.

# authenticating with a custom service principal
create_azure_login(tenant="myaadtenant", app="app_id", password="password")