Table of Contents
AzureAD Apps & Service Principals
Within Azure AD you have App Registrations. You can do a lot with App Registrations. I mainly use it for automating tasks.
Application or Delegated Permissions?
A big disadvantage is that you cannot always choose Application Permissions with API Permissions. Here you can only choose Delegated Permissions. For example, the Azure Service Management API has Delegated Permissions only.
The difference between Application and Delegated Permissions is that an Application Permissions can read and execute things as itself within the environment.
Delegated Permissions needs a user account to be able to read and execute things. Which also means that you always need a Service account.
Multiple API permissions have only Delegated Permissions as options.
Is there really no other way?
For some API Permissions, yes.
As long as you can configure roles in the Azure Portal.
I need the Service Principal to work as it’s own entity in Azure
As I said above, as long as you can assign roles or permissions in the Azure portal, you can also find the Service Principal in the portal.
I’ll use the Azure Service Management API as an example.
I created a Service Principal called ‘Temp’ with delegated Permissions for Access Azure Service Management as organization users (preview).
I also created a Client Secret.
Write down the:
- AppID
- Client Secret
- Tenant
Now, go to your Azure subscription.
- Click on Access Control (IAM)
- Click on Add
- Select the desired Role
- Search for the App registration.
As you can see in the screenshot I selected the Reader role and searched for the app registration ‘Temp’. As you can see it will show when you type out the name completely.

You can now log in with the AppID and Client Secret.
For the PowerShell users among us
Here is a simple script to get a Oauth Token with PowerShell.
Or check out my new module Optimized.Aza for an easier login process and, Oauthtoken & throttling handled for you.
Change the Tenant, client_id and client_secret to the correct string.
$loginURI = "https://login.microsoft.com"
$tenant = 'baswijdenesoutlook.onmicrosoft.com'
$resource = 'https://management.azure.com'
$Body = @{
grant_type = 'client_credentials'
client_id = 'XXXXXX-4742-9090-815ccfc4252d'
client_secret = 'w8sbe2c5~XXXXXXXXXXXXXXXXXX'
resource = $resource
scope = 'openid'
}
$Token = Invoke-RestMethod -Method Post -Uri $loginURI/$Tenant/oauth2/token?api-version=5.0 -Body $Body -UseBasicParsing
You can now form the authorization:
$global:Access = @{
Authorization = "$($token.token_type) $($token.access_token)"
}
And as a last example, when you run the below script, $Request.Properties contains the return.
$Request = Invoke-RestMethod -Method Get `
-UseBasicParsing `
-Uri 'https://management.azure.com/subscriptions/81bdb7e0-2010-4c36-ba35-71c560e3b317/resourceGroups/RG-2019/providers/Microsoft.Automation/automationAccounts/AA-2019-01/runbooks/POST-DC-2019-01?api-version=2015-10-31' `
-Headers $global:Access
$Request.properties