A Service Principal is an AAD Application's representation in a tenant, or "an identity for the app". It can be added like a user in Azure's Role-Based Access Control.
This article follows official doc, shows how to do this in GUI and provides more detailed screenshots and explanations.
-
Create a new application in your AAD. Go to Azure Portal > Azure Active Directory > App registration > New application registration
-
Give it a name. Sign-on URL is not needed.
-
Mark down the Application (client) ID and Directory (tenant) ID. Microsoft's Directory ID is
72f988bf-86f1-41af-91ab-2d7cd011db47
-
Create a new Client Secret.
-
Go to the resource you want to give the Service Principal permission, at different levels. Subscription / Resource Group / Resource > Access control (IAM)
