Service principals with credentials

Do you need to create a Partner Admin Link for a service principal? And it has eligible RBAC role assignments? Can you authenticate using its secret or certificate? If so, follow this guide.

Introduction brief

This page assumes that you are looking at an existing service principal that

has Azure RBAC role assignments with PEC eligible roles, and
you are allowed to use its secret or certificate for authentication.

If you have a service principal or managed identity that you are using in a CI/CD pipeline then visit the CI/CD pipelines & PAL page

If you are intending to “PAL tag” with a new and dedicated Partner Admin Link service principal that exists purely for recognition purposes then go to the PAL tag with a service principal

Note that you cannot create a Partner Admin Link for a service principal using the Azure Portal.

Service principal with secret or cert

Use PowerShell to create the link for a service principal

Install the Az.ManagementPartner PowerShell module.

Install-Module -Name Az.ManagementPartner -Repository PSGallery -Force

Using a secret.

$clientSecret = ConvertTo-SecureString "<clientSecret>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("<clientId>", $clientSecret)
Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -Credential $credential

Or using a certificate.

Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -CertificateThumbprint <thumbprint> -ApplicationId <clientId>

Create the Partner Admin Link.

New-AzManagementPartner -PartnerId <partnerId>

The additional AzManagementPartner cmdlets are the same as for managing links for users.

Use the Azure CLI to create the link for a service principal

Install the Azure CLI’s managementpartner extension.
```
az extension add --name "managementpartner"
```

Using a secret.

az login --service-principal --user "<clientId>" --password "<clientSecret>" --tenant "<tenantId>"

Or using a certificate.

az login --service-principal --user "<clientId>" --tenant "<tenantId>" --certificate "<pathToCertificate>"

Create the Partner Admin Link.

az managementpartner create --partner-id "<partnerId>"

The additional Azure CLI commands are the same as for managing links for users.

Use the REST API to create the link for a system assigned managed identity

The example here is for a system assigned managed identity on an Azure RHEL linux virtual machine, where the token is retrieved via the Instance Metadata Service (IMDS).

⚠️ Note that whilst it is possible to call the REST API directly, the only documentation for the API appears in the azure-rest-api-specs repo. Also, managed identities are not officially supported.

Install jq
```
sudo dnf install jq -y
```
ℹ️ You may need to use a different package manager to install jq if on a different linux distribution.

Use the Instance Metadata Service to get a token

token=$(curl -sSL -H "Metadata:true" 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' | jq -r .access_token)

Define the partnerid
```
partnerId="31415927"
```
⚠️ Set the partnerid variable to your location based Microsoft Partner ID.

Create the PAL link

curl --silent \
  --header "Authorization: Bearer ${token}" \
  --header "Content-Type: application/json" \
  --data '{"partnerId": "'${partnerId}'"}' \
  --request PUT \
  "https://management.azure.com/providers/microsoft.managementpartner/partners/${partnerId}?api-version=2018-02-01"

Using the example MPN ID, the JSON payload would be:

{"partnerId": "31415927"}

And the uri would be:

"https://management.azure.com/providers/microsoft.managementpartner/partners/31415927?api-version=2018-02-01"

Partner Admin Link should now associate telemetry for all resources under the service principal’s RBAC role assignments, assuming they include a PEC eligible role.