How to Create an Azure Service Principal Using Azure CLI

Last updated: January 19, 2026

Overview

This article explains how to grant the required Azure permissions and create an Azure AD service principal using Azure CLI. This setup allows Astra to securely access your Azure subscription for assessment and monitoring purposes.

Step 1: Assign Required Roles in Azure Portal

Sign in to the Azure Portal.
Use the top search bar to search for Subscriptions and open it.
Select the subscription to which access needs to be granted.
From the left-hand menu, select Access control (IAM).
Click Add and then select Add role assignment.
In the Role dropdown, select Reader.
In the Assign access to dropdown, select User, group, or service principal.
Search for and select the user account saatvik.dhiman@getastra.com.
Click Save to assign the Reader role.
Repeat the same steps and assign the Security Reader role.
Confirm that both roles are listed under the Role assignments tab.

Step 2: Create an Azure AD Service Principal Using Azure CLI

Once you are logged in using Azure CLI, run the following command:

az ad sp create-for-rbac \
  --name "<sp-name>" \
  --role Reader \
  --scopes /subscriptions/<subscription-id>

This command creates a service principal with read-only access to the specified subscription.

Step 3: Share the Required Service Principal Details

After creating the service principal, please share the following details with Astra:

Application (Client) ID
The unique identifier of the service principal
Tenant (Directory) ID
The Azure AD tenant where the service principal is created
Client Secret
The secret generated during service principal creation
Azure Role Assignment
Confirm that the Reader role is assigned at the subscription level

Need Help?

If you face any issues while creating the service principal or assigning roles, feel free to reach out to our support team. We are happy to guide you through the setup.