How to: Generate a new Microsoft Entra ID application and Service Principal
Prerequisites
- An Azure subscription
- Azure CLI
- jq
- OpenSSL (included by default on all Linux and macOS systems, as well as on WSL)
- Make sure you’re using a bash or zsh shell
Log into Azure using the Azure CLI
In a new terminal, run the following command:
az login
az account set -s [your subscription id]
Create an Microsoft Entra ID application
Create the Microsoft Entra ID application with:
# Friendly name for the application / Service Principal
APP_NAME="dapr-application"
# Create the app
APP_ID=$(az ad app create --display-name "${APP_NAME}" | jq -r .appId)
Select how you’d prefer to pass credentials.
To create a client secret, run the following command.
az ad app credential reset \
--id "${APP_ID}" \
--years 2
This generates a random, 40-characters long password based on the base64
charset. This password will be valid for 2 years, before you need to rotate it.
Save the output values returned; you’ll need them for Dapr to authenticate with Azure. The expected output:
{
"appId": "<your-app-id>",
"password": "<your-password>",
"tenant": "<your-azure-tenant>"
}
When adding the returned values to your Dapr component’s metadata:
appId
is the value forazureClientId
password
is the value forazureClientSecret
(this was randomly-generated)tenant
is the value forazureTenantId
For a PFX (PKCS#12) certificate, run the following command to create a self-signed certificate:
az ad app credential reset \
--id "${APP_ID}" \
--create-cert
Note: Self-signed certificates are recommended for development only. For production, you should use certificates signed by a CA and imported with the
--cert
flag.
The output of the command above should look like:
Save the output values returned; you’ll need them for Dapr to authenticate with Azure. The expected output:
{
"appId": "<your-app-id>",
"fileWithCertAndPrivateKey": "<file-path>",
"password": null,
"tenant": "<your-azure-tenant>"
}
When adding the returned values to your Dapr component’s metadata:
appId
is the value forazureClientId
tenant
is the value forazureTenantId
fileWithCertAndPrivateKey
indicates the location of the self-signed PFX certificate and private key. Use the contents of that file asazureCertificate
(or write it to a file on the server and useazureCertificateFile
)
Note: While the generated file has the
.pem
extension, it contains a certificate and private key encoded as PFX (PKCS#12).
Create a Service Principal
Once you have created an Microsoft Entra ID application, create a Service Principal for that application. With this Service Principal, you can grant it access to Azure resources.
To create the Service Principal, run the following command:
SERVICE_PRINCIPAL_ID=$(az ad sp create \
--id "${APP_ID}" \
| jq -r .id)
echo "Service Principal ID: ${SERVICE_PRINCIPAL_ID}"
Expected output:
Service Principal ID: 1d0ccf05-5427-4b5e-8eb4-005ac5f9f163
The returned value above is the Service Principal ID, which is different from the Microsoft Entra ID application ID (client ID). The Service Principal ID is defined within an Azure tenant and used to grant access to Azure resources to an application
You’ll use the Service Principal ID to grant permissions to an application to access Azure resources.
Meanwhile, the client ID is used by your application to authenticate. You’ll use the client ID in Dapr manifests to configure authentication with Azure services.
Keep in mind that the Service Principal that was just created does not have access to any Azure resource by default. Access will need to be granted to each resource as needed, as documented in the docs for the components.
Next steps
Use Managed Identities >>Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.