Associating Service Principals

A Service Principal is an application within Azure Active Directory, which is authorized to access resources or resource group in Azure. Serverless360 uses the authentication tokens of Service Principal to manage the resources.
To know more about Service Principals, read:

Application and service principal objects in Azure Active Directory (Azure AD)

What are service principals and where do they come from?

The first step to get started with your account in Serverless360 after sign up is associating a Service Principal. Serverless360 needs access to manage resources through Azure Resource Manager in Azure Stack, this is achieved by associating the Azure Service Principal with necessary permissions. You can assign permissions to the service principal that are different than your own Azure account permissions. Typically, these permissions are restricted to exactly what Serverless360 can do.

This involves the following must do activities:

1. Create a Service Principal
2. Authorize Service Principal from Azure Portal and provide 'Contributor' access on the resource group to manage
3. Associate Service Principal to Serverless360

The following content in this document, helps you to achieve the above activities.

In order to associate the Service Principal with Serverless360, you wil need the following values:

1. Tenant ID - Azure Active Directory Id
2. Client ID - Id of the Service Principal object
3. Client Secret - Authentication password key for this app

4. Subscription ID - The Subscription Id relates to the Azure Subscription in which the subscription / resource group / resource is authorized to the Service Principal

Get Azure Tenant Id

In Azure Active Directory (Azure AD), a tenant is a representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it creates by signing up for a Microsoft Azure account. Each Azure AD tenant is distinct and separate from other Azure AD tenants.
To get the Azure Tenant ID:

1. Navigate to 'Dashboard' in the Azure portal
2. In the portal, navigate to the ‘Azure Active Directory’ tab in the left side menu
3. Click the 'Properties' tab under the Manage section
4. Click the Copy icon against the 'Directory ID' to get the Azure Tenant ID

Create a Service Principal

1. Select Azure Active Directory and click 'App registrations'
2. Click on the 'New Application Registration' link – this will open up a new blade to enter service principal details
3. Enter a name for the Service Principal, keep the Application Type to default (Web App / API), in the 'Sign-on Url' tab enter any URL - for example – http://localhost.
4. Once the Service Principal is created successfully, it will be listed in the App Registration grid

Get Client ID and Client Secret

Client ID is a 16-character string that represents the application. To get the ClientId:

5. Click on the Service Principal > Copy the 'Application ID' from Essentials window. This is your 'Client ID'.

A Secret key is a security key that Windows Live ID uses to encrypt and sign all tokens. To get the Client Secret:

6. Click on 'Keys' under API Access from the Settings Blade > create a key and provide a name for it. Select when it should expire and click on 'Save'.
7. Once it is saved, it will show you the 'Client Secret'.

Authorize Service Principal from Azure Portal

To access resources that are associated in your subscription, you must assign the application to a role. The right permissions for each role is defined based on different use cases.

Permissions are inherited to lower levels of scope. For example you can add an application to the Contributor / Owner role for a resource group. This means, it can access the resource group and any resources it contains.
To authorize the service principal to access a resource group:

1. Navigate to the Resource Group > Click on “Access Control (IAM)”. As you click on Access Control – it will list all the service accounts which are authorized to access the selected Resource Group.
   #### Provide 'Contributor' access on the resource group to manage
2. Add new permission for the newly added Service Principal. Click on the “Add” button on the top left on this blade. It will ask you to select a role and user for new permission. Please refer to the image below. In the Role drop-down, you will find a lot of pre-defined roles scoped to specific resource types with different permissions- like Reader, Manager etc. Select “Contributor” from the list. On the next input- type the name of the service principal. It will list the service principals and users for the given name. You can select more than one Service Principal/User here. Select the desired Service Principal’s name and click “Save”.

3. In few seconds the portal will notify you that the user has been added and can perform the operations with allowed permissions.

We have simplified the steps here for your ease. To more information, read:
Use portal to create an Azure Active Directory application and service principal that can access resources

Get Subscription ID

The subscription ID is a GUID that uniquely identifies your subscription to use Azure services.

Here is a quick step by step guide on how to get your Subscription ID from the New Azure Portal.

1. Browse to https://portal.azure.com and Sign into your account.
2. In the portal, navigate to the ‘Subscriptions’ tab in the left side menu. If the tab is not visible, then click on the ‘More services’ tab to find it.
3. In the Subscriptions blade, all the subscriptions will be listed and copy the ID from ‘Subscription ID’ column.

Associating Service Principals

An illustration to help associating Service Principal in Serverless360 after all above steps are completed. A Friendly Name helps you to identify a service principal in Serverless360, if you associate many.

Alternate: Associating Resources by Namespace

An alternate method to associate Azure resources with Serverless360 is by associating a namespace using the connection string details.

To associate a resource by namespace, you must first create a namespace in Azure and obtain the management credentials.
### Creating a namespace in Azure

1. Log into the Azure portal
2. In the left navigation pane of the portal, click 'New', then click 'Enterprise Integration', and then click 'Service Bus'.
3. In the Create Namespace dialog, enter a namespace name. The system immediately checks to see if the name is available.
4. After making sure the namespace name is available, choose the pricing tier (Basic, Standard, or Premium)
5. In the Subscription field, choose an Azure subscription in which the namespace has to be created.
6. In the Resource group field, choose an existing resource group to which the namespace will belong to, or create a new one.
7. In Location, choose the country or region in which your namespace should be hosted.
8. Click 'Create'. The system now creates your namespace and enables it. You might have to wait several minutes as the system provisions resources for your account.

Obtain the management credentials

1. In the list of namespaces, click the newly created namespace name
2. In the namespace blade, click 'Shared access policies'
3. In the Shared access policies blade, click 'RootManageSharedAccessKey'. We recommend you to create a new Shared Access Policy with the name - Serverless360. Enable all the three claims - Manage, Send & Listen. You can use this policy to associate the namespace with Serverless360.
4. In the Policy: RootManageSharedAccessKey blade, click the Copy button next to Connection string–primary key, to copy the connection string to your clipboard for later use. Paste this value into Notepad or a clipboard to associate this connection string in Serverless360.