How to Create an Azure Service Principal Using Azure CLI

Last updated: June 12, 2026

Introduction

This guide explains how to grant Astra the Azure permissions it needs to securely access your Azure subscription for assessment and monitoring. The setup involves two parts: assigning the required roles in the Azure Portal, and creating an Azure AD service principal using Azure CLI.

The service principal acts as a dedicated identity that Astra uses to connect to your subscription with read-only access — without requiring direct access to any user account.

Prerequisites

Before you begin, ensure the following are in place:

  • Azure Portal access — you must have sufficient permissions to assign roles at the subscription level (typically Owner or User Access Administrator)

  • Azure CLI installed and authenticated — the CLI must be logged in to the correct Azure account before running the service principal creation command. If Azure CLI is not installed, refer to Microsoft's installation guide

  • Subscription ID on hand — you will need this when running the CLI command in Step 2

  • Target subscription identified — confirm which Azure subscription Astra needs access to before starting role assignments

Instruction

Step 1: Assign Required Roles in Azure Portal

  1. Sign in to the Azure Portal.

  2. Use the top search bar to search for Subscriptions and open it.

  3. Select the subscription to which access needs to be granted.

  4. From the left-hand menu, select Access control (IAM).

  5. Click Add and then select Add role assignment.

  6. In the Role dropdown, select Reader.

  7. In the Assign access to dropdown, select User, group, or service principal.

  8. Search for and select the user account saatvik.dhiman@getastra.com.

  9. Click Save to assign the Reader role.

  10. Repeat the same steps and assign the Security Reader role.

  11. Confirm that both roles are listed under the Role assignments tab.

Step 2: Create an Azure AD Service Principal Using Azure CLI

Once you are logged in using Azure CLI, run the following command:

az ad sp create-for-rbac \
  --name "<sp-name>" \
  --role Reader \
  --scopes /subscriptions/<subscription-id>

This command creates a service principal with read-only access to the specified subscription.

Step 3: Share the Required Service Principal Details

After creating the service principal, please share the following details with Astra:

  • Application (Client) ID
    The unique identifier of the service principal

  • Tenant (Directory) ID
    The Azure AD tenant where the service principal is created

  • Client Secret
    The secret generated during service principal creation

  • Azure Role Assignment
    Confirm that the Reader role is assigned at the subscription level

Need Help?

If you face any issues while creating the service principal or assigning roles, feel free to reach out to our support team. We are happy to guide you through the setup.