1 - How to create a service principal name for Azure Stack Hub integrated with Active Directory Federation Services identity using PowerShell
Overview
This article explains how to create a service principal name (SPN) to manage Azure Stack Hub integrated with Active Directory Federation Services (AD FS) identity using PowerShell.
For more information about this process, visit Give an app access to Azure Stack Hub resources.
It will guide you through the creation of:
-
An AD FS application and the associated service principal object which represents the application’s identity within the Active Directory
-
Role assignment
Prerequisites
Prerequisites from a Windows-based external client are:
-
PowerShell 7.x and the Azure Stack Hub compatible PowerShell modules
-
Active Directory Federation Services identity integrated with Azure Stack Hub deployment
Overview of the creation process for Azure Stack Hub SPN
NOTE
The procedure provided is designed for Azure Stack Hub Operators as it requires Privileged Endpoint (PEP) access as well as assumes the Default Provider Subscription and the Administrator Azure Resource Manager endpoint as the defaults; however, the same mechanism can be applied to the User Subscriptions with minimal changes to the code.
If you want to assign a role the SPN for a User Subscription, replace the Administrator Azure Resource Manager endpoint with the Tenant Azure Resource Manager endpoint and the Default Provider Subscription with Subscription Name you want to modify.
-
Declare your variables accordingly.
-
Log in to your Azure Stack Hub Default Provider Subscription with administrator user credentials (needs to have the Owner role).
CAUTION
This requires interactive prompt as by default when using AD FS as your identity provider you cannot use user credentials in the non-interactive way.
This is the main reason why you would want to create an SPN so that you can automate your operations.
-
Create your AD FS application/service principal.
-
Assign the appropriate Role to your service principal.
NOTE
As a bonus, we include an example of how to assign the Owner role to an AD FS group
The current AzureStack
modules do not support it natively, but this example will show you how to do it via API.
It is the preferred method of assigning roles, you should assign roles to a group rather than individual users.
-
Log in to your Azure Stack Hub Default Provider Subscription using the SPN account.
-
Verify SPN authentication and the role assignment.