Register an App to request authorization tokens and work with APIs

1. To register an app, open the Active Directory Overview page in the Azure portal.

2. Select App registrations from the side bar.

3. Select New registration

4. On the Register an application page, enter a Name for the application.

5. Select Register

6. On the app's overview page, select Certificates and Secrets

7. Note the Application (client) ID. It's used in the HTTP request for a token.

8. In the Client secrets tab Select New client secret

9. Enter a Description and select Add

10. Copy and save the client secret Value.

    Note

    Client secret values can only be viewed immediately after creation. Be sure to save the secret before leaving the page.

    

Run the following script to create a service principal and app.

az ad sp create-for-rbac -n <Service principal display name> 

The response looks as follows:

{
  "appId": "0a123b56-c987-1234-abcd-1a2b3c4d5e6f",
  "displayName": "AzMonAPIApp",
  "password": "123456.ABCDE.~XYZ876123ABcEdB7169",
  "tenant": "a1234bcd-5849-4a5d-a2eb-5267eae1bbc7"
}

Add a role and scope for the resources that you want to access using the API

az role assignment create --assignee <`appId`> --role <Role> --scope <resource URI>

The CLI following example assigns the Reader role to the service principal for all resources in the rg-001resource group:

 az role assignment create --assignee 0a123b56-c987-1234-abcd-1a2b3c4d5e6f --role Reader --scope '\/subscriptions/a1234bcd-5849-4a5d-a2eb-5267eae1bbc7/resourceGroups/rg-001'

For more information on creating a service principal using Azure CLI, see Create an Azure service principal with the Azure CLI.

The following sample script demonstrates creating a Microsoft Entra service principal via PowerShell. For a more detailed walkthrough, see using Azure PowerShell to create a service principal to access resources

$subscriptionId = "{azure-subscription-id}"
$resourceGroupName = "{resource-group-name}"

# Authenticate to a specific Azure subscription.
Connect-AzAccount  -Environment AzureChinaCloud -SubscriptionId $subscriptionId

# Password for the service principal
$pwd = "{service-principal-password}"
$secureStringPassword = ConvertTo-SecureString -String $pwd -AsPlainText -Force

# Create a new Azure Active Directory application
$azureAdApplication = New-AzADApplication `
                        -DisplayName "My Azure Monitor" `
                        -HomePage "https://localhost/azure-monitor" `
                        -IdentifierUris "https://localhost/azure-monitor" `
                        -Password $secureStringPassword

# Create a new service principal associated with the designated application
New-AzADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

# Assign Reader role to the newly created service principal
New-AzRoleAssignment -RoleDefinitionName Reader `
                          -ServicePrincipalName $azureAdApplication.ApplicationId.Guid