Creating Azure Service Principals for Dynamic Inventory
Create Client Secrets for Dynamic Inventory
Part 1 - Elevate privileges
- Open Azure Portal URL on your browser
- Elevate your privileges to
Owneron all the subscriptions your need SPNs for.
Part 2 - Create Roles Assignments - This grants owner permission to the master SP on each subscription
-
Select the
Subscriptionsblade URLThe ’Subcriptions’ blade opens. The bottom of the blade shows the subscriptions list in tabular format.
-
For each subscription you need SPNs for:
- Follow the subscription hyperlink
- Choose
Access control (IAM)from list menu on the left panel - Choose
Addfrom the ribbon menu at the top of the right panel - Choose
Add role assignmentfrom the pick-up list that pops up on the right panel - Choose
Privileged administrator rolesfrom the ribbon menu on the right panel - Choose
Ownerfrom list of roles - Choose
Nextfrom workflow menu at the bottom - Choose
User, group, or service principalon theAssign access tosection - Choose
+Select memberson theMemberssection. A panel pops-up - Enter the name of the high privilege service principal created for this purpose (
PROD-epic_on_azure_master-sp) - Choose
Selectto dismiss the pop-up - Choose
Nextfrom the workflow menu at the bottom - Choose
Allow user to assign all roles(highly privileged)on theWhat user can dosection - Choose
Nextfrom the workflow menu at the bottom - Choose
PermanentonAssignment durationsection - Choose
Nextfrom the workflow menu at the bottom - Choose
Review and assignfrom the workflow menu at the bottom - Choose
Access control (IAM)from list menu on the left panel. The newly created role assignment is shown below
Part 3 - Create Client Secret for SP - Do this only once
- Select the
Microsoft Entra IDblade URL-
Choose
Managefrom list menu on the left panel -
Choose
App registrationsfrom the drop down menu underManageon the left panel -
Choose the app whose name matches the high privilege service principal (`PROD-epic_on_azure_master_sp)
-
Choose
Managefrom list menu on the left panel -
Choose
Certificates & secretsfrom the drop down menu underManageon the left panel -
Choose
+ New client secret.A dialog titledAdd a client secretpops up on the right panel -
Enter a description like
Client secret for Dynamic Inventoryand select a 90 day expiration date on theAdd a client secretpop-up dialog. -
Choose
Addat the bottom to dismiss the pop-up dialog. -
Copy and save on safe location the secret Value and ID before you navigate away from the page. This is the only time they will show up
Service Principal: ID: eec65963-904a-45cb-a8b2-91749fa699b5 App: PROD-epic_on_azure_master-sp Secret: Secret ID: INSERTID Secret Value: D1R... Secret Display Name: Client Secret for Dynamic Inventory - POC Secret Expiration: 2025-09-09
-
Part 4 - To update the SP secret
- Open Azure Portal URL on your browser
- Elevate your privileges to
Owneron all the subscriptions your need SPNs for.-
Open a terminal session
-
Log on - Issue the following command
az login -
Reset secret - Issue the following command:
az ad app credential reset --id eec65963-904a-45cb-a8b2-91749fa699b5 --display-name "Client Secret for Dynamic Inventory - POC" --end-date "YYYY-MM-DD" --query "{client_secret: password}" -o json -
Another way to update the SP secret AND onboard it onto Hashicorp Vault is to run the "rotate_spn_secret.sh" shell script I shared days ago
#!/bin/bash # List of service principal names or IDs # Define the service principal names and IDs for dynamic inventory spn_names=("PROD-epic_on_azure_master-sp") spn_ids=("eec65963-904a-45cb-a8b2-91749fa699b5") export VAULT_NAMESPACE="aide-0085665" # Function to get service principal details get_spn_details() { local spn_id=$1 az ad sp show --id "$spn_id" --query "{client_id: appId}" -o json } # Function to rotate service principal secret (password) rotate_spn_secret() { local spn_id=$1 local spn_name=$2
-