Use an Azure service principal with password-based authentication

When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: password-based authentication and certificate-based authentication. Password-based authentication is good to use when learning about service principals, but we recommend using certificate-based authentication for applications.

This step in the tutorial explains how to use a service principal password to access an Azure resource.

Create a service principal containing a password

The default behavior of az ad sp create-for-rbac is to create a service principal with a random password.

az ad sp create-for-rbac --name myServicePrincipalName \
                         --role reader \
                         --scopes /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName

Output Console:

{
  "appId": "myServicePrincipalId",
  "displayName": "myServicePrincipalName",
  "password": "myServicePrincipalPassword",
  "tenant": "myOrganizationTenantId"
}

The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.

Sign in using a service principal using a password

Test the new service principal's credentials and permissions by signing in. To sign in with a service principal, you need the appId (also known as "service principal ID", "username" or "assignee"), tenant, and password. Here's an example:

az login --service-principal \
         --username myServicePrincipalId \
         --password myServicePrincipalPassword \
         --tenant myOrganizationTenantID

If you don't know your appId or --tenant, retrieve it by using the az ad sp list command.

spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:appId}" --output tsv)
tenantID=$(az ad sp list --display-name myServicePrincipalName --query "[].{tenant:appOwnerOrganizationId}" --output tsv)
echo "Using appId $spID in tenant $tenantID"

az login --service-principal \
         --username $spID \
         --password {paste your password here} \
         --tenant $tenantID

If you're testing in an organization that requires two-factor authentication, error message "...Interactive authentication is needed..." is displayed. As an alternative, use a certificate or managed identities.

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command in bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>

In PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

Next Steps

Now that you've learned how to work with service principals using a password, proceed to the next step to learn how to use service principals with certificate-based authentication.