Understanding the Azure Service Principal

Question

I'd like to create a service principle to allow deployments to one or more of my resources under my subscription.

• I have an MSDN subscription allowing me £40 a month on Azure.
• The Azure Active Directory is maintained by my company.
• I am set as a general user
• I've already created a service principle with a key via the portal.
• When I try to connect via the SP from Octopus Deploy I get the below message:

Unable to verify Azure Account: The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/xxxx'.

As I now understand it, an SP sits at tenant level. So does this mean that I likely don't have any permissions to create an SP with the proper access to do what I need and I'll have to get an Admin to do it?

I'm struggling to understand this authentication method tbh. So any information to help clarify how this all fits together would be very much appreciated.

e.g.

• Can I limit an SP to just my MSDN subscription?
• Can I even limit it to resource groups / resources?
• ...

Answer 1

In terms of permissions Service Principal doesnt differ from a regular user. Your service principal doesnt have access to that particular subscription. You need to grant those rights to the service principal. You can use portal\powershell\cli\SDK to do that. Sample link.