This Microsoft Azure blog post will discuss the process of connecting to Microsoft Azure using a certificate.
Regarding security, authentication and authorization certificates are the most secure form of authentication and are considered best practices by cyber security experts.
Connecting to Azure REST API using PowerShell is done using the following three steps.
- Create a service principal (SP) account.
- Assign permission to the service principal account at a resource or subscription level.
- Create a self-sign certificate and upload it to the App Registration of the SP
Create a Service Principal (SP)
Azure Service Principal is a service account used by applications and non-interactive processes to authenticate to Azure and access resources and applications. The main concept of an SP is that it is a non-human identity.
Once an SP is created, permissions can be assigned to it, at different scopes:
- Specific Resource (VM)
- Resource Group
- Subscription
In our case, we will create an SP identity, assign subscription owner permissions, and use a certificate to log in with it to Azure.
To create an SP account, use the following Azure PowerShell Code
# Create Service Principal and Assign Owner role at a subscription level
Select-azsubscription -Subscription "SUB ID"
New-AzADServicePrincipal -DisplayName AzureAPIAccess
$AppID = (Get-AzADServicePrincipal -DisplayName AzureAPIAccess).AppID
New-AzRoleAssignment -ApplicationId $AppID -RoleDefinitionName 'Owner'
Once the SP account has been created, it will appear under Azure Active Directory -> App Registration -> Name of the SP.
Create a Certificate
Now that we have a working SP account, it is time to create a self-signed certificate and upload it to the App Registration that belongs to it.
To create a self-signed certificate, please visit this article. Alternatively, you can skip the PowerShell upload in the post and manually upload it to the App Registration under the certificates section.
Connect To Azure PowerShell with a Certificate
After uploading a certificate to the App Registration, connect to the following Azure PowerShell command.
Connect-AzAccount -ServicePrincipal -ApplicationId "SP AppID" -Tenant "Azure Tenant ID" -CertificateThumbprint "Cert Thumbprint"
Once connected, you can run Azure PowerShell cmdlets.