| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Create identity for Azure app in portal | Microsoft Docs |
Describes how to create a new Active Directory application and service principal that can be used with the role-based access control in Azure Resource Manager to manage access to resources. |
azure-resource-manager |
na |
tfitzmac |
timlt |
tysonn |
7068617b-ac5e-47b3-a1de-a18c918297b6 |
azure-resource-manager |
na |
article |
na |
na |
01/17/2017 |
tomfitz |
[!div class="op_single_selector"]
When you have an application that needs to access or modify resources, you must set up an Active Directory (AD) application and assign the required permissions to it. This approach is preferable to running the app under your own credentials because:
- You can assign permissions to the app identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the app needs to do.
- You do not have to change the app's credentials if your responsibilities change.
- You can use a certificate to automate authentication when executing an unattended script.
This topic shows you how to perform those steps through the portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization.
To complete this topic, you must have sufficient permissions to register an application with your Active Directory, and assign the application to a role in your Azure subscription. Let's make sure you have the right permissions to perform those steps.
-
Log in to your Azure Account through the Azure portal.
-
Select Azure Active Directory.
-
In your Active Directory, select User settings.
-
Check the App registrations setting. If set to Yes, non-admin users can register AD apps. This setting means any user in the Active Directory can register an app. You can proceed to Check Azure subscription permissions.
-
If the app registrations setting is set to No, only admin users can register apps. You need to check whether your account is an admin for the Active Directory. Select Overview and Find a user from Quick tasks.
-
Search for your account, and select it when you find it.
-
For your account, select Directory role.
-
View your assigned role for the Active Directory. If your account is assigned to the User role, but the app registration setting (from the preceding steps) is limited to admin users, ask your administrator to either assign you to an administrator role, or to enable users to register apps.
In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign an AD app to a role. This action is granted through the Owner role or User Access Administrator role. If your account is assigned to the Contributor role, you do not have adequate permission. You will receive an error when attempting to assign the service principal to a role.
To check your subscription permissions:
-
If you are not already looking at your Active Directory account from the preceding steps, select Azure Active Directory from the left pane.
-
Find your Active Directory account. Select Overview and Find a user from Quick tasks.
-
Search for your account, and select it when you find it.
-
Select Azure resources.
-
View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned to the Owner role for two subscriptions, which means that user has adequate permissions.
-
Log in to your Azure Account through the Azure portal.
-
Select Azure Active Directory.
-
Select App registrations.
-
Select Add.
-
Provide a name and URL for the application. Select either Web app / API or Native for the type of application you want to create. After setting the values, select Create.
You have created your application.
When programmatically logging in, you need the ID for your application and an authentication key. To get those values, use the following steps:
-
From App registrations in Active Directory, select your application.
-
Copy the Application ID and store it in your application code. The applications in the sample applications section refer to this value as the client id.
-
To generate an authentication key, select Keys.
-
Provide a description of the key, and a duration for the key. When done, select Save.
After saving the key, the value of the key is displayed. Copy this value because you are not able to retrieve the key later. You provide the key value with the application ID to log in as the application. Store the key value where your application can retrieve it.
When programmatically logging in, you need to pass the tenant ID with your authentication request.
-
To get the tenant ID, select Properties for your Active Directory.
-
Copy the Directory ID. This value is your tenant ID.
To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.
You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.
-
Navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select Subscriptions. You could instead select a resource group or resource.
-
Select the particular subscription (resource group or resource) to assign the application to.
-
Select Access Control (IAM).
-
Select Add.
-
Select the role you wish to assign to the application. The following image shows the Reader role.
-
Search for your application, and select it.
-
Select OK to finish assigning the role. You see your application in the list of users assigned to a role for that scope.
Your application is now set up in Active Directory. You have an ID and key to use for signing in as the application. The application is assigned to a role that gives it certain actions it can perform.
To log in through PowerShell, see Provide credentials through PowerShell.
To log in through Azure CLI, see Provide credentials through Azure CLI.
To get the access token for REST operations, see Create the request.
Look at the following sample applications to learn about logging in through application code.
The following sample applications show how to log in as the AD application.
.NET
- Deploy an SSH Enabled VM with a Template with .NET
- Manage Azure resources and resource groups with .NET
Java
- Getting Started with Resources - Deploy Using Azure Resource Manager Template - in Java
- Getting Started with Resources - Manage Resource Group - in Java
Python
- Deploy an SSH Enabled VM with a Template in Python
- Managing Azure Resource and Resource Groups with Python
Node.js
- Deploy an SSH Enabled VM with a Template in Node.js
- Manage Azure resources and resource groups with Node.js
Ruby
- Deploy an SSH Enabled VM with a Template in Ruby
- Managing Azure Resource and Resource Groups with Ruby
- To set up a multi-tenant application, see Developer's guide to authorization with the Azure Resource Manager API.
- To learn about specifying security policies, see Azure Role-based Access Control.