How to Create Azure Service Principal with Certificates (PowerShell)

Published:1 October 2024 - 1 min. read

Today’s sponsor is n8n, the AI-native workflow automation tool built for ITOps and DevSecOps. With 100+ templates to get you started quickly and a powerful visual editor, you can automate complex workflows without giving up control. Check it out here.

When working with Azure, authenticating service principals securely is essential. While client secrets are commonly used, certificates offer a more secure option. In this guide, we will walk through how to create and use a self-signed certificate to authenticate a service principal in Azure.

Step 1: Switching to the Admin Account

Before beginning, ensure you’re logged in with the appropriate admin credentials:

Disconnect-AzAccount
Connect-AzAccount

This ensures you’re operating as a global admin in Entra ID.

Step 2: Creating a Self-Signed Certificate

Next, instead of using a client secret, we’ll create a self-signed certificate. In PowerShell, use the `New-SelfSignedCertificate` command to generate it:

$cert = New-SelfSignedCertificate -DnsName AzureVMManagement -CertStoreLocation cert:\CurrentUser\My

This command creates a certificate named `AzureVMManagement` and stores it in the user’s certificate store.

Step 3: Exporting the Private Key

To link the certificate to the Azure application, you need to export the private key:

$secPassword = ConvertTo-SecureString -String "P@ss0word!" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\VMManagementAppPrivateKey.pfx -Password $secPassword

Here, the private key is protected with a password and exported to a `.pfx` file.

Step 4: Importing the Certificate

Now that the certificate is exported, it needs to be imported back as a base-64 encoded binary array for Azure:

$PfxCertificate = Get-PfxCertificate -FilePath C:\VMManagementAppPrivateKey.pfx -Password $secPassword
$keyValue = [System.Convert]::ToBase64String($PfxCertificate.GetRawCertData())

This converts the certificate data into a format suitable for Azure’s requirements.

Step 5: Adding the Certificate to the Application

Find your application by name and add the certificate:

$app = Get-AzADApplication -DisplayName VMManagement
New-AzADAppCredential -ApplicationId $app.AppId -CertValue $keyValue -StartDate $PfxCertificate.NotBefore -EndDate $PfxCertificate.NotAfter

This command attaches the base-64 certificate to the Azure application with valid start and end dates.

Step 6: Removing Old Certificates

If there are old certificates on the application, clean them up:

$oldCerts = (Get-AzADApplication -DisplayName VMManagement).KeyCredentials | sort enddatetime | select -SkipLast 1
$oldCerts | foreach { remove-AzADAppCredential -ApplicationId $app.AppId -KeyId $_.KeyId }

This removes all but the latest certificate, ensuring only the active one remains.

Step 7: Authenticating with the New Certificate

Finally, test authentication using the newly created certificate:

Connect-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId

If everything is set up correctly, this will allow you to authenticate to Azure using the service principal and the new certificate.

Step 8: Testing Permissions

Test if the service principal’s permissions are intact:

Get-AzVM

You should be able to manage VMs. For further testing, try a disallowed action:

Get-AzADApplication

This should be blocked if the permissions are correctly set.

Step 9: Removing the Certificate

To see what happens if the certificate is removed:

$cert | Remove-Item
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId

Without the certificate, the authentication will fail, as Azure requires the certificate to establish trust.

Always ensure certificates are stored safely to prevent any authentication issues.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!