I wanted to Configure Linked Service for OData Feed using Service Principal and Key. Can anyone explain me what parameter should be entered in AAD Resource?
Related
As per the documentation from Microsoft for Data encryption for Azure Database for PostgreSQL Single server by using the Azure portal , the steps mentioned tell to create a service principal for Azure PostgreSql single server option, while adding an Access Policy in Azure key vault.
I wanted to know how can I create a service principal for Azure Postgresql. I googled across the web but didn't find any descriptive link or documentation to do this.
Can someone please help me achieve this?
Please follow the below steps to fix the issue:
You have to configure the data encryption first as shown below which will
fail because you don't have a service principal for it but this step
is necessary as it will create a new service principal for your
PostgreSQL server.
After the above step fails , go to your Keyvault>>access policies>> add access policy.
You will be able to see the service principal created for the
Postgre and it will have the same name as the PostgreSQL server and
add the required permissions for the principal as shown below:
Go to the data encryption section for PostgreSQL server again and do
the settings like below , it will be successfully saved:
I have an app service that needs to connect to Azure Key Vault to obtain Storage and Cosmos DB connection strings. The same application also needs to use service principal name (with client id and secret) to connect directly to a SQL PaaS instance (not via Azure Key Vault). Can I use one single service principal for both?
Can I use one single service principal for both?
Sure you can. As long as Service Principal as appropriate permissions to access both Azure Key Vault and SQL Database, it should be able to access these resources.
The key thing here is that your Service Principal must be assigned appropriate RBAC roles. For example, if you assign your Service Principal a Contributor role in an Azure Subscription, then you can manage all resources of your Azure Subscription (except role assignment) using that Service Principal.
On my current project I work with TFS on-prem and I need to deploy resources in Azure.
With a service principal in Azure and an ARM service endpoint in TFS, everything works fine.
However now I get the requirement to secure the service principal with a certificate instead of a password. Creating a service principal with a certificate is almost as easy as with a password, but setting up the ARM service endpoint in TFS (also VSTS by the way) is not that easy.
One of the fields I have to fill in for the ARM service endpoint is the "Service Principal Key".
When creating the service principal with a certificate, I don't have that value (which typically is the password used to create the AD application).
Is it possible to create a TFS service endpoint using an Azure service principal based on a certificate?
We cannot create the ARM service endpoint based on a certificate, just as you mentioned we can only provide the "Service Principal Key".
However we can create Azure Classic service endpoint based on a certificate.
Management Certificate:
Required for Certificate based authentication. Copy the value of the
management certificate key from your publish settings XML file or the
Azure portal.
I'm looking for my VSTS deployment agent service principal to get the Object ID of a managed service principal (created by Data Factory V2).
It needs this for assigning ACL's in data lake store.
However as far as I can tell, it requires Read Permission on Azure AD.
I wish to avoid granting it read permission if possible, to follow the 'least privilege' mantra.
For non-managed service principals, I allow the deployment agent to manage service principals it has created (thus not needing full read access). However I suspect the fact that the service principals are managed by Azure it is unlikely I'll be able to give the deployment agent any ownership over the managed service principal (however I'm working with AD admins to see if there is a way).
I've tried everything I can think of mixing and matching Azure RM data factory v2 powershell modules and Azure AD modules.
Is it possible to get the id without Azure AD read access? Or a novel workaround (I'm considering a constrained Web API wrapper)?
We have a VSTS Azure Resource Manager Service Endpoint that uses a Service Principal to connect to Azure. This service principal was created manually. I was wondering if this service principle is impacted by the Azure AD signing key roll over and whether it will handle it automatically.
If you are using a service principal created through VSTS, there shouldn't be a problem. If it's created another way, you'll want to check this article from the Azure team about the rollover.