Creating the service principal – Building Application Security

by Paulette Dukrs Posted on

The first step we need to perform is creating a service principal and generating a client ID and secret, which affects a username and password:

  1. Navigate to the Azure portal at https://portal.azure.com.
  2. In the top search bar, search for and select Azure Active Directory.
  3. On the left-hand menu, click App registrations.
  4. Click +New registration.
  5. On the Register and application page, enter a friendly name to refer to your app – for example, SecureWebApp.
  6. Choose the account type; for now, leave the default of Accounts in this organizational directory only.
  7. Click Register.
  8. You will be taken to the Overview page for your new service principal; make a note of the Application (client) ID – as in the following example:

Figure 6.4 – Creating a service principal

  1. On the left-hand menu, click Certificates & Secrets.
  2. Click + New client secret.
  3. Give the secret a name such as WebAppAccess; leave the expiration at one year.
  4. Copy the client secret – this is also used in your web app. See the following figure for an example:

Figure 6.5 – Security Principal secret

The next step is to create an access policy to allow the security principal we have just created to read secrets, and then finally, we will create our secret.

Setting the access policy
Now we have a service principal, we need to define and assign an access policy to it:

  1. Navigate to the Azure portal at https://portal.azure.com.
  2. In the top search bar, search for and select Key vaults.
  3. Click on your key vault.
  4. On the Overview page, copy down the Vault URI – this is the final piece of information we will need, along with the client ID and client secret. See the following example:

Figure 6.6 – Getting the key vault URI

  1. On the left-hand menu, click Access policies.
  2. Click Add Access policy.
  3. Click the drop-down list under Configure from template and choose Secret Management.
  4. Under Select principal, click None selected. Search for the name of the service principal you created in the previous section – Creating the service principal. See the example in the following figure. Click Select.

Figure 6.7 – Assigning the access policy

  1. Click Add.
  2. From the top menu, click Save.
  3. On the left-hand menu, click Secrets.
  4. Click Generate/Import.
  5. Complete the following details:
    a) Upload options: Manual.
    b) Name: SecureConnectionString.
    c) Value: AreallySecureConnectionString (details will be masked).
  6. Click Create.

The final step in the process is to use the service principal we have just created within a web app to access the secret.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by Williamshand | Theme: Designed by William.