Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Creates a Service Principal within the Tenant of the selected Subscription
[Parameter(Mandatory=$true, HelpMessage="Provide a unique name for Service Principal")]
[ValidateScript({if ($_ -match '^[a-zA-Z0-9\-_]{8,}$') {
} else {
throw "name must be a minimum 8 alphanumeric characters with no spaces. Hyphens and underscores also allowed"
[string] $name,
[Parameter(Mandatory=$true, HelpMessage="Provide a password for Service Principal")]
[ValidateScript({If (-not $_ -or $_.Length -lt 8) {
throw "password must be a minimum 8 characters"
} else {
[securestring] $password
$azureRmModule = Get-Module -Name AzureRM* -ListAvailable
if ([String]::IsNullOrEmpty($azureRmModule)) {
Write-Error "Script requires AzureRM module. See"
function Log($message) {
Write-Host "[$(Get-Date -format 'u')] $message" -ForegroundColor Green
function Prompt-Custom($title, $optionValues, $optionDescriptions) {
Write-Host $title
$a = @()
for($i = 0; $i -lt $optionValues.Length; $i++) {
Write-Host "$($i+1))" $optionDescriptions[$i]
while($true) {
Write-Host "Choose an option: "
$option = Read-Host
$option = $option -as [int]
if($option -ge 1 -and $option -le $optionValues.Length) {
return $optionValues[$option-1]
function Prompt-Subscription() {
$subscriptions = Get-AzureRmSubscription
$subscriptionId = ""
if($subscriptions.Length -eq 0) {
Write-Error "No subscriptions bound to this account."
if($subscriptions.Length -eq 1) {
$subscriptionId = $subscriptions[0].Id
else {
$subscriptionChoices = @()
$subscriptionValues = @()
foreach($subscription in $subscriptions) {
$subscriptionChoices += "$($subscription.Name) ($($subscription.Id))"
$subscriptionValues += $subscription.Id;
$subscriptionId = Prompt-Custom "Choose a subscription" $subscriptionValues $subscriptionChoices
return $subscriptionId
function Prompt-Role() {
$roles = Get-AzureRmRoleDefinition
$roleChoices = @()
$roleValues = @()
foreach($role in $roles) {
$roleChoices += "$($role.Name) ($($role.Description))"
$roleValues += $role.Name;
Prompt-Custom "Choose a role" $roleValues $roleChoices
$ErrorActionPreference = "Stop"
Write-Host "Please Login"
Login-AzureRmAccount | Out-Null
$subscriptionId = Prompt-Subscription
$subscription = Select-AzureRmSubscription -SubscriptionId $subscriptionId
$tenantId = $subscription.Tenant.TenantId
$identifierUri = "http://$tenantId/$name"
Log "Checking if identifier URI is unique ($identifierUri)"
$existingApplication = Get-AzureRmADApplication -IdentifierUri $identifierUri
if ($existingApplication -ne $null) {
$applicationId = $existingApplication.ApplicationId
Write-Error "An AAD Application already exists with URI $identifierUri (Application Id: $applicationId). Choose a different Service Principal name"
Log "Creating new AAD application with URI $identifierUri"
$azureAdApplication = New-AzureRmADApplication -DisplayName $name -HomePage $identifierUri -IdentifierUris $identifierUri -Password $password
$applicationId = $azureAdApplication.ApplicationId
Log "AAD application successfully created"
Log "Creating a new Service Principal for AAD application"
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $applicationId
$servicePrincipalName = $servicePrincipal.ServicePrincipalNames[0]
Log "Service principal successfully created"
while ($true) {
Log "Waiting for Service Principal to be reflected in Directory"
Start-Sleep 20
$check = Get-AzureRmADServicePrincipal -ServicePrincipalName $servicePrincipalName -ErrorAction Continue 2>&1 | ?{ $_ -match "error" }
if (-not $check) {
$role = Prompt-Role
Log "Assigning role $role to Service Principal"
New-AzureRmRoleAssignment -RoleDefinitionName $role -ServicePrincipalName $applicationId | Out-Null
Log "Role assignment completed successfully"
Write-Output "`nCopy and Paste below values for Service Principal"
Write-Output "***************************************************"
Write-Output "Subscription Id: $subscriptionId"
Write-Output "Tenant Id: $tenantId"
Write-Output "Client Id: $applicationId"
Write-Output "Client Secret: <password you provided>"
Write-Output "***************************************************"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.