Use an Azure service principal with password-based authentication
When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: password-based authentication and certificate-based authentication. Password-based authentication is good to use when learning about service principals, but we recommend using certificate-based authentication for applications.
This step in the tutorial explains how to use a service principal password to access an Azure resource.
Create a service principal containing a password
The default behavior of az ad sp create-for-rbac is to create a service principal with a random password.
az ad sp create-for-rbac --name myServicePrincipalName \
--role reader \
--scopes /subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName
Output Console:
{
"appId": "myServicePrincipalId",
"displayName": "myServicePrincipalName",
"password": "myServicePrincipalPassword",
"tenant": "myOrganizationTenantId"
}
The output for a service principal with password authentication includes the password key. Make sure you copy this value - it can't be retrieved. If you lose the password, reset the service principal credentials.
Sign in using a service principal using a password
Test the new service principal's credentials and permissions by signing in. To sign in with a service principal, you need the appId (also known as "service principal ID", "username" or "assignee"), tenant, and password. Here's an example:
az login --service-principal \
--username myServicePrincipalId \
--password myServicePrincipalPassword \
--tenant myOrganizationTenantID
If you don't know your appId or --tenant, retrieve it by using the az ad sp list command.
spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:appId}" --output tsv)
tenantID=$(az ad sp list --display-name myServicePrincipalName --query "[].{tenant:appOwnerOrganizationId}" --output tsv)
echo "Using appId $spID in tenant $tenantID"
az login --service-principal \
--username $spID \
--password {paste your password here} \
--tenant $tenantID
If you're testing in an organization that requires two-factor authentication, error message "...Interactive authentication is needed..." is displayed. As an alternative, use a certificate or managed identities.
Important
If you want to avoid displaying your password on console and are using az login interactively,
use the read -s command in bash.
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>
In PowerShell, use the Get-Credential cmdlet.
$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>
Next Steps
Now that you've learned how to work with service principals using a password, proceed to the next step to learn how to use service principals with certificate-based authentication.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for