Navigation
AnsibleUpdated July 3, 2026

Creating Azure Service Principals for Dynamic Inventory

azureservice-principaldynamic-inventorycredentialsrbacazure-portaliamclient-secrets

Create Client Secrets for Dynamic Inventory

Part 1 - Elevate privileges

  1. Open Azure Portal URL on your browser
  2. Elevate your privileges to Owner on all the subscriptions your need SPNs for.

Part 2 - Create Roles Assignments - This grants owner permission to the master SP on each subscription

  1. Select the Subscriptions blade URL

    The ’Subcriptions’ blade opens. The bottom of the blade shows the subscriptions list in tabular format.

  2. For each subscription you need SPNs for:

    • Follow the subscription hyperlink
    • Choose Access control (IAM) from list menu on the left panel
    • Choose Add from the ribbon menu at the top of the right panel
    • Choose Add role assignment from the pick-up list that pops up on the right panel
    • Choose Privileged administrator roles from the ribbon menu on the right panel
    • Choose Owner from list of roles
    • Choose Next from workflow menu at the bottom
    • Choose User, group, or service principal on the Assign access to section
    • Choose +Select members on the Members section. A panel pops-up
    • Enter the name of the high privilege service principal created for this purpose (PROD-epic_on_azure_master-sp)
    • Choose Select to dismiss the pop-up
    • Choose Next from the workflow menu at the bottom
    • Choose Allow user to assign all roles(highly privileged) on the What user can do section
    • Choose Next from the workflow menu at the bottom
    • Choose Permanent on Assignment duration section
    • Choose Next from the workflow menu at the bottom
    • Choose Review and assign from the workflow menu at the bottom
    • Choose Access control (IAM) from list menu on the left panel. The newly created role assignment is shown below

Part 3 - Create Client Secret for SP - Do this only once

  1. Select the Microsoft Entra ID blade URL
    • Choose Manage from list menu on the left panel

    • Choose App registrations from the drop down menu under Manage on the left panel

    • Choose the app whose name matches the high privilege service principal (`PROD-epic_on_azure_master_sp)

    • Choose Manage from list menu on the left panel

    • Choose Certificates & secrets from the drop down menu under Manage on the left panel

    • Choose + New client secret. A dialog titled Add a client secret pops up on the right panel

    • Enter a description like Client secret for Dynamic Inventory and select a 90 day expiration date on the Add a client secret pop-up dialog.

    • Choose Add at the bottom to dismiss the pop-up dialog.

    • Copy and save on safe location the secret Value and ID before you navigate away from the page. This is the only time they will show up

      Service Principal:
      ID: eec65963-904a-45cb-a8b2-91749fa699b5
      App: PROD-epic_on_azure_master-sp
      
      Secret:
      Secret ID: INSERTID
      Secret Value: D1R...
      Secret Display Name: Client Secret for Dynamic Inventory - POC
      Secret Expiration: 2025-09-09
      

Part 4 - To update the SP secret

  1. Open Azure Portal URL on your browser
  2. Elevate your privileges to Owner on all the subscriptions your need SPNs for.
    • Open a terminal session

    • Log on - Issue the following command az login

    • Reset secret - Issue the following command:

      az ad app credential reset --id eec65963-904a-45cb-a8b2-91749fa699b5 --display-name "Client Secret for Dynamic Inventory - POC" --end-date "YYYY-MM-DD" --query "{client_secret: password}" -o json
      
    • Another way to update the SP secret AND onboard it onto Hashicorp Vault is to run the "rotate_spn_secret.sh" shell script I shared days ago

      #!/bin/bash
      
      # List of service principal names or IDs
      # Define the service principal names and IDs for dynamic inventory
      spn_names=("PROD-epic_on_azure_master-sp")
      spn_ids=("eec65963-904a-45cb-a8b2-91749fa699b5")
      
      export VAULT_NAMESPACE="aide-0085665"
      
      # Function to get service principal details
      get_spn_details() {
          local spn_id=$1
          az ad sp show --id "$spn_id" --query "{client_id: appId}" -o json
      }
      
      # Function to rotate service principal secret (password)
      rotate_spn_secret() {
          local spn_id=$1
          local spn_name=$2