Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure landing zone
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Example Library Configs
      • Azure landing zone library
      • Azure landing zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User and guest IDs
    • Service principals with credentials
    • CI/CD pipelines & OpenID Connect
    • Using AzAPI in Terraform
    • PAL tagging with a service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign landing zone
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign landing zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference Library Configs
      • Sovereign landing zone
      • Sovereign landing zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
  3. Service principals with credentials
Service principals with credentials
Service principals with credentials
Partner Admin Link
Understanding PAL
User and guest IDs
Service principals with credentials
CI/CD pipelines & OpenID Connect
Using AzAPI in Terraform
PAL tagging with a service principal
Azure Lighthouse & PAL
PAL FAQ
  • Introduction brief
  • Service principal with secret or cert
  • Attestation

Service principals with credentials

Do you need to create a Partner Admin Link for a service principal? And it has eligible RBAC role assignments? Can you authenticate using its secret or certificate? If so, follow this guide.

Table of Contents

  • Introduction brief
  • Service principal with secret or cert
  • Attestation

Introduction brief

This page assumes that you are looking at an existing service principal that

  • has Azure RBAC role assignments with PEC eligible roles, and
  • you are allowed to use its secret or certificate for authentication.

If you have a service principal or managed identity that you are using in a CI/CD pipeline then visit the CI/CD pipelines & PAL page

If you are intending to “PAL tag” with a new and dedicated Partner Admin Link service principal that exists purely for recognition purposes then go to the PAL tag with a service principal

Note that you cannot create a Partner Admin Link for a service principal using the Azure Portal.

Service principal with secret or cert

Use PowerShell to create the link for a service principal

  1. Install the Az.ManagementPartner PowerShell module.

    Install-Module -Name Az.ManagementPartner -Repository PSGallery -Force

  2. Sign in to the customer’s tenant as the service principal.

    Using a secret.

    $clientSecret = ConvertTo-SecureString "<clientSecret>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("<clientId>", $clientSecret)
Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -Credential $credential

    Or using a certificate.

    Connect-AzAccount -ServicePrincipal -TenantId <tenantId> -CertificateThumbprint <thumbprint> -ApplicationId <clientId>

  3. Create the Partner Admin Link.

    New-AzManagementPartner -PartnerId <partnerId>

The additional AzManagementPartner cmdlets are the same as for managing links for users.

Authenticate

  1. Sign in to the customer’s tenant as the service principal.

    Using a secret.

    az login --service-principal --user "<clientId>" --password "<clientSecret>" --tenant "<tenantId>"

    Or using a certificate.

    az login --service-principal --user "<clientId>" --tenant "<tenantId>" --certificate "<pathToCertificate>"

Use az managementpartner to create the Partner Admin Link

  1. Install the Azure CLI’s managementpartner extension.

    The az management

    az extension add --name "managementpartner"

    This is a one off task.

  2. Create the Partner Admin Link.

    az managementpartner create --partner-id "<partnerId>"

The additional Azure CLI commands are the same as for managing links for users.

Alternative using az rest

Alternatively, you can also call the REST API directly using the az rest command. This removes the need to download the extension.

az rest --method put --uri "https://management.azure.com/providers/microsoft.managementpartner/partners/<partnerId>?api-version=2018-02-01" --body '{"partnerId": "<partnerId>"}'

Use the REST API to create the link for a system assigned managed identity

The example here is for a system assigned managed identity on an Azure RHEL linux virtual machine, where the token is retrieved via the Instance Metadata Service (IMDS).

⚠️ Note that whilst it is possible to call the REST API directly, the only documentation for the API appears in the azure-rest-api-specs repo. Also, managed identities are not officially supported.

  1. Install jq

    sudo dnf install jq -y

    ℹ️ You may need to use a different package manager to install jq if on a different linux distribution.

  2. Use the Instance Metadata Service to get a token

    token=$(curl -sSL -H "Metadata:true" 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' | jq -r .access_token)

  3. Define the partnerid

    partnerId="31415927"

    ⚠️ Set the partnerid variable to your location based Microsoft Partner ID.

  4. Create the PAL link

    curl --silent \
  --header "Authorization: Bearer ${token}" \
  --header "Content-Type: application/json" \
  --data '{"partnerId": "'${partnerId}'"}' \
  --request PUT \
  "https://management.azure.com/providers/microsoft.managementpartner/partners/${partnerId}?api-version=2018-02-01"

    Using the example MPN ID, the JSON payload would be:

    {"partnerId": "31415927"}

    And the uri would be:

    "https://management.azure.com/providers/microsoft.managementpartner/partners/31415927?api-version=2018-02-01"

Partner Admin Link should now associate telemetry for all resources under the service principal’s RBAC role assignments, assuming they include a PEC eligible role.

Attestation

I have created a Bash script, pal_attestation.sh, that you are free to use if it helps you to display information about Partner Admin Link. This is useful if you need to copy and paste the output to prove that a link is in place for that customer context. You can copy and paste the output, pipe it through to jq, or redirect to a file.

A few example usages are shown below for displaying

  1. the core info (for the tenant, the security principal, and the Partner Admin Link)
  2. the core info, plus direct RBAC role assignments (note the caveats)
  3. the core info for another objectId and its RBAC role assignments

You first need to authenticate and ensure that you are in the correct customer context.

You use this script then it is at your own risk. Having said that it is mostly harmless as it is just getting info from Azure, including the resource graph, and displying it. If you have very minimal access, e.g. you cannot read Microsoft.Authorization at the right scopes, then the main risk is that it may not return the full information.

This Bash command will work in the Cloud Shell, even in the PowerShell experience.

Core info

curl -sSL https://aka.ms/pal/attestation | bash
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": "Contoso",
  "tenantDefaultDomain": "contoso.com",
  "type": "user",
  "displayName": "Richard Cheney",
  "userPrincipalName": "richard.cheney@azurecitadel.com",
  "appId": null,
  "objectId": "74afa9e2-d243-414b-bab2-db8dd242827f",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159"
}
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": null,
  "tenantDefaultDomain": null,
  "type": "servicePrincipal",
  "displayName": "PAL (Partner Admin Link) for Azure Citadel",
  "userPrincipalName": null,
  "appId": "7b7fe81e-da85-4271-a065-b0a00634ae75",
  "objectId": "a52475b0-d310-41ac-a4b1-d1e3161e0127",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159"
}

Extended info with assignments

Note that this uses the resource graph to additionall get the direct RBAC role assignments.

It will not return secondary RBAC role assignments, e.g. via a security group’s role assignment. You will also not see any temporary assignments (e.g. via Privileged Identity Management or the Access Packages in Microsoft Entra ID Governance’s Entitlement Management) unless they are currently active.

curl -sSL https://aka.ms/pal/attestation | bash -s -- --assignments
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": "Contoso",
  "tenantDefaultDomain": "contoso.com",
  "type": "user",
  "displayName": "Richard Cheney",
  "userPrincipalName": "richard.cheney@azurecitadel.com",
  "appId": null,
  "objectId": "74afa9e2-d243-414b-bab2-db8dd242827f",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159",
  "assignments": [
    {
      "scope": "/providers/Microsoft.Management/managementGroups/alz",
      "id": "b25e4a12-2d7d-19b0-3de0-0f12895873ed",
      "roleName": "Azure Landing Zones Management Group Reader (alz-mgmt)",
      "roleType": "Custom"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a",
      "id": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "roleName": "Owner",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a/resourceGroups/terraform/providers/Microsoft.Storage/storageAccounts/terraformfabric562b54eb",
      "id": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
      "roleName": "Storage Blob Data Contributor",
      "roleType": "BuiltIn"
    }
  ]
}
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": null,
  "tenantDefaultDomain": null,
  "type": "servicePrincipal",
  "displayName": "PAL (Partner Admin Link) for Azure Citadel",
  "userPrincipalName": null,
  "appId": "7b7fe81e-da85-4271-a065-b0a00634ae75",
  "objectId": "a52475b0-d310-41ac-a4b1-d1e3161e0127",
  "partnerAdminLink": "/providers/microsoft.managementpartner/partners/314159",
  "partnerName": "Azure Citadel",
  "partnerId": "314159",
  "assignments": [
    {
      "scope": "/providers/Microsoft.Management/managementGroups/platform",
      "id": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
      "roleName": "Support Request Contributor",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/73568139-5c52-4066-a406-3e8533bb0f15",
      "id": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
      "roleName": "Support Request Contributor",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a",
      "id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "roleName": "Contributor",
      "roleType": "BuiltIn"
    }
  ]
}

Assignment info for another object id

This is useful to display assignments for another user or service principal.

Note that this will not return the Partner Admin Link information, as you must authenticate for the PAL REST API call to work.

curl -sSL https://aka.ms/pal/attestation | bash -s -- --assignments --object-id <object-id>

The script will handle being passed the app ID, or the object ID for the app reg, and will automatically determine the object ID for the service principal. If you do not want to see the stderr warning messages then add 2>/dev/null to the command.

Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": "Contoso",
  "tenantDefaultDomain": "contoso.com",
  "type": "user",
  "displayName": "Richard Cheney",
  "userPrincipalName": "richard.cheney@azurecitadel.com",
  "appId": null,
  "objectId": "74afa9e2-d243-414b-bab2-db8dd242827f",
  "partnerAdminLink": "Unavailable",
  "partnerName": "Unavailable",
  "partnerId": "Unavailable",
  "assignments": [
    {
      "scope": "/providers/Microsoft.Management/managementGroups/alz",
      "id": "b25e4a12-2d7d-19b0-3de0-0f12895873ed",
      "roleName": "Azure Landing Zones Management Group Reader (alz-mgmt)",
      "roleType": "Custom"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a",
      "id": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "roleName": "Owner",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a/resourceGroups/terraform/providers/Microsoft.Storage/storageAccounts/terraformfabric562b54eb",
      "id": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
      "roleName": "Storage Blob Data Contributor",
      "roleType": "BuiltIn"
    }
  ]
}
Example output:
{
  "tenantId": "ac40fc60-2717-4051-a567-c0cd948f0ac9",
  "tenantDisplayName": null,
  "tenantDefaultDomain": null,
  "type": "servicePrincipal",
  "displayName": "PAL (Partner Admin Link) for Azure Citadel",
  "userPrincipalName": null,
  "appId": "7b7fe81e-da85-4271-a065-b0a00634ae75",
  "objectId": "a52475b0-d310-41ac-a4b1-d1e3161e0127",
  "partnerAdminLink": "Unavailable",
  "partnerName": "Unavailable",
  "partnerId": "Unavailable",
  "assignments": [
    {
      "scope": "/providers/Microsoft.Management/managementGroups/platform",
      "id": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
      "roleName": "Support Request Contributor",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/73568139-5c52-4066-a406-3e8533bb0f15",
      "id": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
      "roleName": "Support Request Contributor",
      "roleType": "BuiltIn"
    },
    {
      "scope": "/subscriptions/a7484f13-d60f-4e5a-a530-fdaade38716a",
      "id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "roleName": "Contributor",
      "roleType": "BuiltIn"
    }
  ]
}
Source: https://www.azurecitadel.com/pal/credential/
Published: 10 Oct 2025
Printed:
User and guest IDs Service principals with credentials CI/CD pipelines & OpenID Connect