Tutorial / Cram Notes
A service principal is an identity used by applications or services to access specific Azure Stack Hub resources. It is essentially an instance of an application in Azure AD and is used to define what access the application has and which policies are applied.
When an application needs to access resources, it must authenticate with Azure AD using its service principal. Azure AD checks the credentials and determines whether the access can be granted based on the permissions assigned to the service principal.
Assigning Roles and Permissions
Azure Stack Hub utilizes Azure Role-Based Access Control (RBAC) to manage who has access to what. Here’s how to assign roles and permissions to a service principal:
- Select the scope: Define at which level the permissions should be applied (subscription, resource group, or resource).
- Choose the role: Assign a role that provides the appropriate rights for the application. For example, use the
Reader
role for read-only access andContributor
orOwner
for broader access. - Assign the role to the service principal: This links the role to the application’s identity.
Example – Assigning a Role to a Service Principal through Azure PowerShell
<!– language: lang-powershell –>
# Log in to Azure Stack Hub
Connect-AzAccount -EnvironmentName “<your-environment>”
# Get the service principal
$servicePrincipal = Get-AzADServicePrincipal -DisplayName “<application-name>”
# Assign the Reader role at the subscription scope to the service principal
New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $servicePrincipal.ApplicationId -Scope “/subscriptions/<subscription-id>”
Creating a Service Principal for an Application
Example – Creating a Service Principal using Azure CLI
<!– language: lang-shell –>
# Create a service principal with a client secret
az ad sp create-for-rbac –name “<app-name>” –password “<secure-password>”
This command will provision a new service principal and display the app ID, tenant, and other details, which are necessary for the application to authenticate.
Enabling Application Access to Azure Stack Hub Services
Some Azure Stack Hub services might require additional configuration to enable access by applications.
- API Apps: Set up CORS rules to permit your application to make cross-origin calls to the API app.
- App Services: Configure the app service with the application settings, such as client ID and client secret, so it can authenticate with Azure AD.
- SQL Databases: Ensure the application has connection strings and credentials with the appropriate permissions in Azure SQL Database.
Using Managed Identities
Azure Stack Hub also supports managed identities, which provide an identity for applications to use when connecting to resources that support Azure AD authentication, without needing to manage credentials.
Example – Enabling a Managed Identity for an Azure Stack Hub VM
<!– language: lang-powershell –>
# Enable system-assigned managed identity on an existing VM
Set-AzVM -ResourceGroupName “<resource-group-name>” -Name “<vm-name>” -AssignIdentity:$true
With this identity, an application running on the VM can securely access other Azure Stack Hub resources like Azure Key Vault.
Practice Test with Explanation
True/False: To grant an app access to resources in Azure Stack Hub, you always need to create a service principal.
- Answer: True
Explanation: Creating a service principal is a common way to give an application access to Azure Stack Hub resources with the necessary permissions.
True/False: Role-Based Access Control (RBAC) is not available in Azure Stack Hub.
- Answer: False
Explanation: Role-Based Access Control (RBAC) is available and widely used in Azure Stack Hub to manage permissions for both users and applications.
Which Azure AD feature is used to grant an application permissions to access Azure Stack Hub resources?
- A) Application registrations
- B) Azure AD Groups
- C) Conditional Access
- D) Multi-Factor Authentication
Answer: A) Application registrations
Explanation: Application registrations in Azure AD are used to define an application and grant it permissions to access Azure Stack Hub resources.
Which of the following permissions is required for an app to read storage account data in Azure Stack Hub?
- A) Owner
- B) Contributor
- C) Storage Account Contributor
- D) Reader
Answer: D) Reader
Explanation: The Reader role is sufficient for an app to have read-only access to storage account data.
True/False: Azure Active Directory (Azure AD) is the only identity provider supported by Azure Stack Hub for app authentication and authorization.
- Answer: False
Explanation: Azure Stack Hub supports Azure AD and Active Directory Federation Services (AD FS) as identity providers for app authentication and authorization.
In Azure Stack Hub, which PowerShell cmdlet assigns a role at a subscription scope?
- A) New-AzRoleDefinition
- B) Set-AzRoleAssignment
- C) New-AzRoleAssignment
- D) Get-AzRoleAssignment
Answer: C) New-AzRoleAssignment
Explanation: The New-AzRoleAssignment cmdlet is used to assign a RBAC role to a service principal at a specified scope, such as a subscription.
True/False: Once granted, application permissions to access resources in Azure Stack Hub cannot be revoked.
- Answer: False
Explanation: Permissions can be modified or revoked anytime in Azure Stack Hub, providing flexibility and security control over resources.
What must be configured to allow an app to interact with Azure Stack Hub’s APIs?
- A) Network Security Group
- B) API Profile
- C) Service Principal
- D) Public IP Address
Answer: C) Service Principal
Explanation: A service principal represents the application in Azure AD and needs to be configured to enable the app to interact with Azure Stack Hub’s APIs.
Which Azure CLI command is used to create a service principal?
- A) az ad sp create-for-rbac
- B) az ad app create
- C) az role assignment create
- D) az ad user create
Answer: A) az ad sp create-for-rbac
Explanation: The command ‘az ad sp create-for-rbac’ is used to create a service principal for RBAC.
True/False: You can assign multiple roles to the same service principal for granular access control.
- Answer: True
Explanation: Multiple roles can be assigned to a single service principal enabling granular control over what resources the application can access.
To access the Key Vault in Azure Stack Hub, an application requires which permission?
- A) Owner
- B) Contributor
- C) Key Vault Contributor
- D) Key Vault Secrets User
Answer: D) Key Vault Secrets User
Explanation: The Key Vault Secrets User role allows applications to read secrets from the Key Vault, which is typically needed for applications that require access to secure information.
True/False: An application service principal can be used across different Azure Stack Hub deployments.
- Answer: False
Explanation: Service principals are scoped to a single Azure Active Directory tenant and cannot be used across different Azure Stack Hub deployments unless those deployments are under the same AAD tenant.
Interview Questions
What is a service principal in Azure Active Directory (Azure AD)?
A service principal is a security identity used by applications, services, and tools to access resources in Azure.
How is a service principal different from a user account?
A service principal is not associated with a user account, and its credentials are separate from any user credentials.
What are the credentials for a service principal?
The credentials for a service principal include a client ID and a client secret.
What is a client ID?
A client ID is a unique identifier for a service principal.
What is a client secret?
A client secret is a secure string that is used to authenticate the service principal when accessing resources.
How can a service principal be created in the Azure portal?
A service principal can be created in the Azure portal by navigating to the App registrations section of Azure AD and selecting New registration.
How can a service principal be created using Azure CLI?
A service principal can be created using Azure CLI by running the command “az ad sp create-for-rbac”.
What is RBAC?
RBAC stands for role-based access control and is a method of controlling access to resources based on the roles assigned to users and groups.
How can a service principal be granted access to a resource?
A service principal can be granted access to a resource by assigning it a role with the appropriate permissions.
How can a service principal be used to authenticate an application or service?
A service principal can be used to authenticate an application or service by including the client ID and client secret in the application or service code.
How can I grant an app access to resources in Azure Stack Hub?
Thanks for this blog post!
Can I use service principal for access control in Azure Stack Hub?
This guide could have been more detailed.
What roles are typically needed for an app accessing resources on Azure Stack Hub?
Does someone have a script to automate this process?
I followed the steps but my app still can’t access the resources.
Is there any way to audit the access given to apps?