by Socratic_Cat. I've created an application registration (Web app / API) in Azure AD and in Subscriptions I've assigned the Virtual Machine Contributor role. Account : The account or the service principal which will be used to authorize to the cmdlets Subscription: The subscription against which the cmdlets will be executed TenantId: The tenant id of the Azure Active Directory where the account resides. Environment: The cloud environment ; Credentials: the login credentials. You can try the below steps: Login to your Azure account with the command: Login-AzureRmAccount ; Save the context in a JSON file using the command: Save-AzureRmContext -Path "E:\AzureProfile.json" Connect-AzureRmAccount . This is extremely convenient, because N.B. Notes: Service principals are accounts for machines. What permission I need to check there I have not created any service principle. So don't know whats wrong right now. All you have to use is Service Principal for the log-in The Connect-AzureRmAccount cmdlet connects to Azure with an authenticated account for use with Azure Resource Manager cmdlet requests. (You cannot progress beyond this page in the wizard until you provide valid details for the Use existing option.) Under Schema -> Active -> LogManagement you can see the tables that you can query. Azure PowerShell modules. When I spin up my service (local service fabric cluster), and try to connect to keyvault to retrieve a secret key+value that I have stored inside, I get error: CryptographicException: KeySet does not exist Obviously, there is someone with elevated permissions that has to initially set this up but once setup it works great. Connect-AzureRmAccount (AzureRM.Profile), You can use Connect-AzureRmAccount PowerShell command without an interactive login. Hi, The service principal should only need to do specific things, unlike a general user identity. When I try to use Connect-AzureRMAccount with a Service Principal I get the following Error: Connect-AzureRMAccount : Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' Like (1) Marcus Schiffer. If using the AZ modules, the Enable-AzureRmAlias should be set. Connect-AzureRmAccount Cmdlet using Service Principal with Credential - Connect-AzureRmAccountWithSP.ps1 The Azure Resource Manager cmdlets also support service principal authentication, however, due to a bug is not yet supported in Azure Automation. Automation is great. Thanks, Tuesday, August 21, 2018 9:13 AM. Now you can query the log events captured by the log analytics workspace. The service principal is a user identity (username and password) with an assigned role/permissions in Azure Active Directory (AAD). It's the bedrock of any successful IT department and the default solution for any task that has to be repeated more than once. Create service principal for the azure app; Give principal access to keyvault; All looks good. Yes, even though it is a production stack in reality this is actually more for developing services, testing, etc. A Service Principal within your Azure AD tenant. In this example, a new Service Principal will be created in AAD and assigned to an Azure Resource Group. April 9, 2019 at 6:39 am. As I was anticipating some authentication hurdles with this, I tested creating the Service Principal through PowerShell also. When I try to use Connect-AzureRMAccount with a Service Principal I get the following Error: Connect-AzureRMAccount : Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' This does not work with the Azure Stack PowerShell modules, as the AzureRM.Dns modules currently included do not support the creation of CAA records - we need this capability! Connect-AzureRmAccount (AzureRM.Profile), Example 2: (Windows PowerShell 5.1 only) Connect to Azure using organizational ID Example 3: Connect to Azure using a service principal account. Required? According to Microsoft service principals are accounts not tied to any particular user, which can have permissions on them assigned to pre-defined roles.