Azure authentication with service principal
This article looks at how the Azure Identity library supports Microsoft Entra token authentication via service principal. This article covers the following subjects:
- Create a service principal with the Azure CLI
- Client secret credential
- Client certificate credential
For more information, see Application and service principal objects in Microsoft Entra ID. For troubleshooting service principal authentication issues, see Troubleshoot service principal authentication.
Create a service principal with the Azure CLI
Use the following Azure CLI examples to create or get client secret credentials.
Use the following command to create a service principal and configure its access to Azure resources:
az ad sp create-for-rbac \
--name <your application name> \
--role Contributor \
--scopes /subscriptions/mySubscriptionID
This command returns a value similar to the following output:
{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
}
Use the following command to create a service principal along with a certificate. Note down the path/location of this certificate.
az ad sp create-for-rbac \
--name <your application name> \
--role Contributor \
--cert <certificate name> \
--create-cert
Check the returned credentials and to note down the following information:
AZURE\_CLIENT\_IDfor the appId.AZURE\_CLIENT\_SECRETfor the password.AZURE\_TENANT\_IDfor the tenant.
Client secret credential
This credential authenticates the created service principal through its client secret (password). This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientSecretCredential.
/**
* Authenticate with client secret.
*/
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId("<your client ID>")
.clientSecret("<your client secret>")
.tenantId("<your tenant ID>")
.build();
// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://<your Key Vault name>.vault.azure.net")
.credential(clientSecretCredential)
.buildClient();
Client certificate credential
This credential authenticates the created service principal through its client certificate. This example demonstrates authenticating the SecretClient from the azure-security-keyvault-secrets client library using the ClientCertificateCredential.
/**
* Authenticate with a client certificate.
*/
ClientCertificateCredential clientCertificateCredential = new ClientCertificateCredentialBuilder()
.clientId("<your client ID>")
.pemCertificate("<path to PEM certificate>")
// Choose between either a PEM certificate or a PFX certificate.
//.pfxCertificate("<path to PFX certificate>", "PFX CERTIFICATE PASSWORD")
.tenantId("<your tenant ID>")
.build();
// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://<your Key Vault name>.vault.azure.net")
.credential(clientCertificateCredential)
.buildClient();
Next steps
This article covered authentication via service principal. This form of authentication is one of multiple ways you can authenticate in the Azure SDK for Java. The following articles describe other ways:
- Azure authentication in development environments
- Authenticating applications hosted in Azure
- Authentication with User Credentials
If you run into issues related to service principal authentication, see Troubleshoot service principal authentication.
After you've mastered authentication, see Configure logging in the Azure SDK for Java for information on the logging functionality provided by the SDK.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for