Create AD App Account to run with PowerShell

  • December 19, 2017
  • Brian Carter
  • Azure

This Blog post will walk you through how to create an AD Application Account to run with PowerShell for automated deployments into Azure Resource Manager

Background

I was working with a customer who wanted to use System Center Orchestrator to build servers in Azure like they current do with their VMWare environment.

Instead of trying to install Service Manager Automation or trying to get Azure Automation working we decided just to use PowerShell with an Azure AD Application Account and System Center Service Manager to make things extremely simple for the end user to request/build a server with a JSON template.

Prerequisites

Out of the box this will not work so we had to download Azure Resource Manager Module on the Orchestrator server, but this could be on any automation server that is wanted.

We also decided to create an application account in Azure Active Directory so we could run as a service principal. Technically we didn’t have to do this and could have created an on-premises or a cloud user/service account but we wanted the possibility to use API access for other applications later.

Creating Azure AD Application and Service Principal

Here are the steps we followed to create and give rights into Azure for the account.

There are two ways to create an Azure AD Application, using the portal or command line (PowerShell or CLI). Since we didn’t have Windows 10 to create a self signed certificate we decided to use the portal.

  1. Log into the Azure Portal and go into the App Registration Blade
  2. Click *Add at the top to create a new Application.
  3. Give the account a Name, leave the Application Type as Web app / API, set the sign-on URL to anything you want it to be.

    CreateApp

  4. Copy the Application ID and keep it somewhere to reference it later. We put this into a variable inside of Orchestrator as a user.

    AppID

  5. Create a Key since this will be used as the password. You can choose 1 or 2 years or on that never expires, for the duration choice. The key can be rotated at anytime so just select a configuration that fits best for your environment and requirements. Make sure you copy down the certificate value since you won’t see it again.

    KeyValue

  6. Give the account rights that you want so that the service can deploy servers. Set the rights at the subscription level since it is unknown what Resource Groups it will deploy into unless all Resource Groups are created at this point. if that is the case, link to just the Resource Groups you would like to deploy into.

    RBAC

  7. Copy your Directory ID from Azure Active Directory since it will be used for your TenantID for the script.

    TenantID

  8. Copy your Subscription ID from your Azure Subscription

    SubscriptionId

  9. Create a PowerShell script to log in for verification, assuming using Windows Server 2012 R2 so the modules do not need to be called in the script.

    $User = "aAbBcCdD-1234-5678-90aA1bB2cC3d"
    $Pass = ConvertTo-SecureString -string "1Qaz2wSx3edC/4Rfv5tGb6yhN7UjM8ik9ol0pZAq1x2=" -AsPlainText -Force
    $MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Pass
    
    Login-AzureRmAccount -Credential $MyCredential -ServicePrincipal -TenantId 00000000-0000-0000-0000-0000000000000 -SubscriptionId 11111111-1111-1111-1111-111111111111
    
    


Now the code can be secured however you would like so that the Password is never shared beyond the automation configuration machine.

If you would like to use it on other machines, you will have to secure the password with a secure key.