Azure Service Principals are an authentication mechanism for Azure instances. An Azure Service Principal is an identity created under Azure Active Directory to work with apps using role-based access controls. For example, when applications, hosted services, or automated tools need to access or modify resources, you can create a service principal and use it to authenticate.
Roles assigned to the service principal allow you to restrict access to resources, so you can control the resources and the level at which they are accessed. You should always use service principals with automated tools rather than allowing the tools to log in with a user identity.
IMPORTANT: Before you begin, contact Support to enable the Azure Service Principal for your tenant.
Configure an Application Registration in the Azure Portal
- Log in to the Azure portal at https://portal.azure.com/.
- Go to Home > App registrations and click New registration.
- Under Redirect URI select Select a platform and enter your Skyhigh CASB environment:
- PROD: https://www.myshn.net/shndash/extensions/offlinedlp_ret.jsp
- EUPROD: https://www.myshn.eu/shndash/extensions/offlinedlp_ret.jsp
- CAPROD: https://www.myshn.ca/shndash/extensions/offlinedlp_ret.jsp
- To create a new application, click Register.
- Confirm the new application's properties are configured correctly, as per Step 3.
- Copy the Application (Client) ID and Tenant ID for future reference.
- In the Client secrets tab, click New client secret.
- Copy the Secret Value for future reference.
- Now add the new service principal to existing subscriptions. This gives the service principal access to the resources within those subscriptions.
- Go to Subscription.
- Click Access Control (IAM) on the left side bar, then the Role assignments tab.
- Click Add then click Add role assignment.
- Click Next.
- Select members and click Select.
- Click Review and assign.
Follow the same steps for any other subscriptions you may have.
Create Azure Service Instance Using Service Principal in Skyhigh CASB
- In Skyhigh CASB go to Settings > Service Management.
- Select your Azure instance or create a new one.
- When you provide API credentials, enter the Client ID, Client Secret, and Tenant ID you saved from the previous steps.