Tutorial / Cram Notes

A service principal is an identity used by applications or services to access specific Azure Stack Hub resources. It is essentially an instance of an application in Azure AD and is used to define what access the application has and which policies are applied.

When an application needs to access resources, it must authenticate with Azure AD using its service principal. Azure AD checks the credentials and determines whether the access can be granted based on the permissions assigned to the service principal.

Assigning Roles and Permissions

Azure Stack Hub utilizes Azure Role-Based Access Control (RBAC) to manage who has access to what. Here’s how to assign roles and permissions to a service principal:

  1. Select the scope: Define at which level the permissions should be applied (subscription, resource group, or resource).
  2. Choose the role: Assign a role that provides the appropriate rights for the application. For example, use the Reader role for read-only access and Contributor or Owner for broader access.
  3. Assign the role to the service principal: This links the role to the application’s identity.

Example – Assigning a Role to a Service Principal through Azure PowerShell

<!– language: lang-powershell –>
# Log in to Azure Stack Hub
Connect-AzAccount -EnvironmentName “<your-environment>”

# Get the service principal
$servicePrincipal = Get-AzADServicePrincipal -DisplayName “<application-name>”

# Assign the Reader role at the subscription scope to the service principal
New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $servicePrincipal.ApplicationId -Scope “/subscriptions/<subscription-id>”

Creating a Service Principal for an Application

Example – Creating a Service Principal using Azure CLI

<!– language: lang-shell –>
# Create a service principal with a client secret
az ad sp create-for-rbac –name “<app-name>” –password “<secure-password>”

This command will provision a new service principal and display the app ID, tenant, and other details, which are necessary for the application to authenticate.

Enabling Application Access to Azure Stack Hub Services

Some Azure Stack Hub services might require additional configuration to enable access by applications.

  • API Apps: Set up CORS rules to permit your application to make cross-origin calls to the API app.
  • App Services: Configure the app service with the application settings, such as client ID and client secret, so it can authenticate with Azure AD.
  • SQL Databases: Ensure the application has connection strings and credentials with the appropriate permissions in Azure SQL Database.

Using Managed Identities

Azure Stack Hub also supports managed identities, which provide an identity for applications to use when connecting to resources that support Azure AD authentication, without needing to manage credentials.

Example – Enabling a Managed Identity for an Azure Stack Hub VM

<!– language: lang-powershell –>
# Enable system-assigned managed identity on an existing VM
Set-AzVM -ResourceGroupName “<resource-group-name>” -Name “<vm-name>” -AssignIdentity:$true

With this identity, an application running on the VM can securely access other Azure Stack Hub resources like Azure Key Vault.

Practice Test with Explanation

True/False: To grant an app access to resources in Azure Stack Hub, you always need to create a service principal.

  • Answer: True

Explanation: Creating a service principal is a common way to give an application access to Azure Stack Hub resources with the necessary permissions.

True/False: Role-Based Access Control (RBAC) is not available in Azure Stack Hub.

  • Answer: False

Explanation: Role-Based Access Control (RBAC) is available and widely used in Azure Stack Hub to manage permissions for both users and applications.

Which Azure AD feature is used to grant an application permissions to access Azure Stack Hub resources?

  • A) Application registrations
  • B) Azure AD Groups
  • C) Conditional Access
  • D) Multi-Factor Authentication

Answer: A) Application registrations

Explanation: Application registrations in Azure AD are used to define an application and grant it permissions to access Azure Stack Hub resources.

Which of the following permissions is required for an app to read storage account data in Azure Stack Hub?

  • A) Owner
  • B) Contributor
  • C) Storage Account Contributor
  • D) Reader

Answer: D) Reader

Explanation: The Reader role is sufficient for an app to have read-only access to storage account data.

True/False: Azure Active Directory (Azure AD) is the only identity provider supported by Azure Stack Hub for app authentication and authorization.

  • Answer: False

Explanation: Azure Stack Hub supports Azure AD and Active Directory Federation Services (AD FS) as identity providers for app authentication and authorization.

In Azure Stack Hub, which PowerShell cmdlet assigns a role at a subscription scope?

  • A) New-AzRoleDefinition
  • B) Set-AzRoleAssignment
  • C) New-AzRoleAssignment
  • D) Get-AzRoleAssignment

Answer: C) New-AzRoleAssignment

Explanation: The New-AzRoleAssignment cmdlet is used to assign a RBAC role to a service principal at a specified scope, such as a subscription.

True/False: Once granted, application permissions to access resources in Azure Stack Hub cannot be revoked.

  • Answer: False

Explanation: Permissions can be modified or revoked anytime in Azure Stack Hub, providing flexibility and security control over resources.

What must be configured to allow an app to interact with Azure Stack Hub’s APIs?

  • A) Network Security Group
  • B) API Profile
  • C) Service Principal
  • D) Public IP Address

Answer: C) Service Principal

Explanation: A service principal represents the application in Azure AD and needs to be configured to enable the app to interact with Azure Stack Hub’s APIs.

Which Azure CLI command is used to create a service principal?

  • A) az ad sp create-for-rbac
  • B) az ad app create
  • C) az role assignment create
  • D) az ad user create

Answer: A) az ad sp create-for-rbac

Explanation: The command ‘az ad sp create-for-rbac’ is used to create a service principal for RBAC.

True/False: You can assign multiple roles to the same service principal for granular access control.

  • Answer: True

Explanation: Multiple roles can be assigned to a single service principal enabling granular control over what resources the application can access.

To access the Key Vault in Azure Stack Hub, an application requires which permission?

  • A) Owner
  • B) Contributor
  • C) Key Vault Contributor
  • D) Key Vault Secrets User

Answer: D) Key Vault Secrets User

Explanation: The Key Vault Secrets User role allows applications to read secrets from the Key Vault, which is typically needed for applications that require access to secure information.

True/False: An application service principal can be used across different Azure Stack Hub deployments.

  • Answer: False

Explanation: Service principals are scoped to a single Azure Active Directory tenant and cannot be used across different Azure Stack Hub deployments unless those deployments are under the same AAD tenant.

Interview Questions

What is a service principal in Azure Active Directory (Azure AD)?

A service principal is a security identity used by applications, services, and tools to access resources in Azure.

How is a service principal different from a user account?

A service principal is not associated with a user account, and its credentials are separate from any user credentials.

What are the credentials for a service principal?

The credentials for a service principal include a client ID and a client secret.

What is a client ID?

A client ID is a unique identifier for a service principal.

What is a client secret?

A client secret is a secure string that is used to authenticate the service principal when accessing resources.

How can a service principal be created in the Azure portal?

A service principal can be created in the Azure portal by navigating to the App registrations section of Azure AD and selecting New registration.

How can a service principal be created using Azure CLI?

A service principal can be created using Azure CLI by running the command “az ad sp create-for-rbac”.

What is RBAC?

RBAC stands for role-based access control and is a method of controlling access to resources based on the roles assigned to users and groups.

How can a service principal be granted access to a resource?

A service principal can be granted access to a resource by assigning it a role with the appropriate permissions.

How can a service principal be used to authenticate an application or service?

A service principal can be used to authenticate an application or service by including the client ID and client secret in the application or service code.

0 0 votes
Article Rating
Subscribe
Notify of
guest
23 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Virgil Pearson
1 year ago

How can I grant an app access to resources in Azure Stack Hub?

Kübra Akar
1 year ago

Thanks for this blog post!

Zeferino Zavala
1 year ago

Can I use service principal for access control in Azure Stack Hub?

میلاد سهيلي راد

This guide could have been more detailed.

Ullrich Freier
1 year ago

What roles are typically needed for an app accessing resources on Azure Stack Hub?

Umut BerberoÄŸlu
1 year ago

Does someone have a script to automate this process?

محمدپارسا نجاتی

I followed the steps but my app still can’t access the resources.

Tvorislav Sushchenko
8 months ago

Is there any way to audit the access given to apps?

23
0
Would love your thoughts, please comment.x
()
x