Skip to Main Menu

Let's Encrypt - Using the Azure CLI to create an Azure AD Application and Service Principal for an Azure Web Service

Everyone gets SSL

Recently I had to setup a static web site on Azure. At the time I was using an Azure Web App with a rudimentary GitHub deployment. Once setup, the next stage was to add SSL and I wanted to use Let’s Encrypt. I stumbled over to the Let’s Encrypt Site Extension mentioned in the gooroo blog.

Most of my time these days is spent on OSX and Docker and I generally use a Docker Container to isolate accounts when using cloud services such as Azure and AWS.

One of the steps in the blog post was to setup an Azure Service Principal for the WebJob to use. The post mentions how to do this in PowerShell however I generally use the Azure CLI as it is cross platform.

One of my favourite tools to work with JSON is jq and some of the samples below will make use it. So here are the same steps in the post using the Azure CLI.

Login to Azure

PowerShell

Login-AzureRmAccount

Azure CLI

azure login

Set some variables

PowerShell

$uri = 'https://mysite.com'
$password = 'SuperSecret'
$appName = 'mysite'

Azure CLI

export APP_URI=https://mysite.com
export APP_PASSORD=SuperSecret
export APP_NAME=mysite

Create an Azure Active Directory Application

PowerShell

$app = New-AzureRmADApplication -DisplayName {some display name} -HomePage $uri -IdentifierUris $uri -Password $password

Azure CLI

# Create the app
azure ad app create -n $APP_NAME \
    --home-page $APP_URI \
    --identifier-uris $APP_URI \
    --password $APP_PASSORD

# Find the app
azure ad app list --json | jq --arg name "${APP_NAME}" '.[] | select(.displayName==$name)'

This will return a JSON object such as:

[
  {
    "objectId": "xxxx",
    "objectType": "Application",
    "appId": "xxxx",
    "availableToOtherTenants": false,
    "displayName": "mysite.com",
    "identifierUris": [
      "https://mysite.com"
    ],
    "replyUrls": [],
    "homepage": "https://mysite.com"
  }
]

Create a Service Principal for the app

PowerShell

New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId

Azure CLI

azure ad sp create -a $APP_ID

#Find the principal
azure ad sp list --json | jq --arg name "${APP_NAME}" '.[] | select(.displayName==$name)'

This will return a JSON object such as:

{
  "objectId": "xxxx",
  "objectType": "ServicePrincipal",
  "displayName": "mysite.com",
  "appId": "xxxx",
  "servicePrincipalNames": [
    "https://mysite.com",
    "xxxx"
  ]
}

Add the Contributor role to the Application

PowerShell

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId

Azure CLI

# $APP_OBJECT_ID == objectid of the ServicePrincipal
azure role assignment create --objectId $APP_OBJECT_ID --roleName Contributor

Sometime PowerShell is easier, sometimes it is not. However it’s always nice to have options.

Get Amongst it!

comments powered by Disqus