Getting an automation tool like Terraform the privileges to manage resource groups within Azure requires a bit of up front setup work. Here is a video demonstrating all that is required.

Step 1: Install the Azure CLI

The first step is to get the Azure CLI (command line interface) which will allow you to issue commands using your Azure Active Directory credentials. You will need to have sufficient privileges within Azure AD to perform this operation.

C:> choco install azure-cli

Step 2: Login using the CLI

“az login” will trigger an interactive login session with a unique code that you can use to activate the session. Follow the instructions by opening a browser to https://microsoft.com/devicelogin and plug in the code provided by the CLI.

Make sure to snag the following values from the JSON document that gets spit out into the command line:

Field Description
Subscription ID Unique identifier for the Azure Subscription
Tenant ID Unique identifier for the Azure Active Directory tenant associated with the Azure Subscription

These are part of the credentials passed to Azure by Terraform but they are not sensitive.

Step 3: Explicitly set your subscription context

"az account set --subscription="{your subscription id}"

Step 4: Create the Service Principal (aka App Registration aka Service Account)

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/{your_subscription_id}"

This will create a service principal and a key. You can find it under your “application registrations” in Azure Active Directory.

Field Description
App ID Unique identifier for the service account in Azure Active Directory
Password Secret key used to authenticate

As it’s name implies the password is sensitive. I’m showing it because it will be long deleted by the time this is published and I wanted you guys to be able to see the unobstructed output of the commands.

You can access the account from the ‘app registrations’ section of the Azure Active Directory portal.