IT Connect
Your connection to information technology at the UW

Azure AD Application Credentials and Management

When you provision an Azure AD application (really an Azure AD service principal) which you are developing or using for unattended operations, you must have two things: a client id and a credential to prove you are the application.

For the service principal credential, you will need to decide on one of two options:

  • A client secret (passwordCredentials)
  • A certificate (keyCredentials)

Both options have an expiration, so you can’t just set this up and ignore it–you must maintain it. You don’t want to set it up and learn a lesson a year later when that credential expires.

The simple option is client secret. This is the best option for a service principal for unattended operations. With this option, you can choose a 1 year, 2 year, or never expiration. Note: Never was not an option for the first several years that Azure AD service principals existed, and may not be appropriate depending on the risk profile.

The harder option is the certificate. This may be a good option if you are developing code. This option requires that your app possess the private key for a cert and that you provision the public cert in Azure AD on the app. We don’t cover how to do that here. The expiration depends on the certificate’s expiration.

What follows is a step-by-step description of how to setup and maintain a client secret for an Azure AD service principal:

  1. You need to start at the Azure Portal (there are other administrative interfaces you might use, but this description uses the Azure Portal): https://portal.azure.com
  2. Sign in using the account which has permissions for the administrative task you want, usually a sadm admin UW NetID. For this task, this will be whatever account created the service principal.
  3. Open ‘Azure Active Directory’ by searching for it, unless it is already in your top nav bar.
  4. Choose ‘App Registrations’ from the left nav bar. A short cut to the resulting page is https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps. In other words, you can jump directly to this step (you still have to do #2) by using that URL.
  5. Enter the appId or displayName of your service principal in the search field. If you don’t know your appId or displayName, you may need to create a new service principal.
  6. Select the right service principal from the results.
  7. Choose ‘Owners’ from the left nav bar. Verify that the account you used in #2 is the owner. Ideally you will add a 2nd account as an owner so that if you are unavailable or have left, someone else can maintain this service principal.
    1. If you are the only account, fix that now.
    2. If you didn’t use the right account for #2, logout and start over with the right account.
  8. Choose ‘Certificates & secrets’ from the left nav bar.
  9. Note whether there is a secret or not. Some service principals have none, which makes them worthless—you can’t do anything with the service principal without signing in with it.
    1. If there is no secret, click ‘New client secret’.
    2. Enter a description that’ll be useful to you and choose an expiration: 1y, 2y, or never. As noted above, never is not recommended.
    3. Copy the secret’s value to a safe place, like a password manager. UW has LastPass Enterprise which would be a good place to store & protect this secret (and share with the other owner).
    4. Do *NOT* leave this screen without copying the secret’s value. You won’t get another chance to see it.
  10. Note the date in the Expires column.
    1. Keep track of this expiration date and plan to come back to get a new secret before that date.

 

 

Last reviewed April 16, 2020