Creating Azure Service Principal using Azure CLI

Document created by jacob.bendavid Expert on Jul 17, 2019Last modified by jacob.bendavid Expert on Feb 20, 2020
Version 11Show Document
  • View in full screen mode


In this guide, we will cover the process of creating an Azure Service Principal and (optionally) assign it to multiple subscriptions using Azure CLI. We will then use the information to add an Azure Target to Turbonomic.


If you wish to execute this process in Azure Portal instead of Azure CLI, please visit this article.


Please note that discovering multiple subscriptions using a single Service Principal is supported with Turbonomic 6.4 and higher.


The guide assumes that:

  • You admin access to your Azure Account
  • You have Azure CLI installed on your system (if not, please refer to this Microsoft article)


To add Azure Target to Turbonomic 6.4 and higher the following are needed:

  1. Tenant (Directory) ID
  2. Application (Client) ID
  3. Application (Client) Secret Key


This article uses the az ad sp create-for-rbac and az role assignment commands, please click on the respected link for more details.


Note: If you're using the Azure German Cloud - you'll need to first configure the Azure CLI to work with that Cloud. To do so, please run the command below:

az cloud set --name AzureGermanCloud

Log In to Azure:

Start by login to your Azure account:

az login

(follow the steps to login through your browser)


If you have more than one Azure subscription within the account, you can optionally scope to it by (you can list them by running az account list -o table and copying the needed subID for the next command):

az account set --subscription={SubID}


Create a Service Principal:

Turbonomic requires a service principal with 'Contributor' OR 'Owner' OR a combined role of 'Reader' + 'Storage Account Contributor'  at the subscription level.

Permissions Requirements:

Turbonomic interacts with Azure targets through an Azure AD Application/Service Principal, during the setup process you will need to assign a permission level through one of the built-in Azure roles. Please review the information below for details before you proceed:

Permission Level for executing actions:

  • You can use either the Owner or Contributor role. Contributor Role is the least privileged role which enables Turbonomic to take actions on your Azure environment, including manually or automatically scaling VMs across instance types or automating VM stop and start.

Permission Level for Read-Only:

  • The use of a combined 'Reader + Storage Account Contributor' role is the minimum privileged combination required for Turbonomic to discover and access metrics across your Azure environment. The Storage Account Contributor role is required to access the Storage Account keys and establish a connection in order to retrieve VM memory statistics.
  • The least-privileged access is the combination of 'Reader role + Storage Account - List Keys permission' - if you wish to use that combination you will need to create the 'Storage Account - List Keys' role using Azure CLI or APIs (You candownload this json file, edit it and add your subscription id, save it and then create the role by running the Azure CLI command:
    az role definition create --role-definition listkeys.json

Note: another enhanced security option is to create a separate storage account and use it to store the memory metrics  - please contact Turbonomic for more details on this model.


In this example we will create a Service Principal named 'TurbonomicSP' with Contributor role on a specific subscription type:

az ad sp create-for-rbac -n "TurbonomicSP" --role contributor --scope /subscriptions/{SubID}

The output will include 5 values (see below example) for Turbonomic you will need the values that are bolded:


  "appId": "00000000-0000-0000-0000-000000000000",

  "displayName": "TurbonomicSP",

  "name": "http://TurbonomicSP",

  "password": "11111111-1111-11111111111111111",

  "tenant": "22222-2222-2222222222222222222"


For example:

If this is the only subscription you will be managing with Turbonomic, you can skip the next section and head to 'Adding Azure Target in Turbonomic' below.


Optionally assign the Service Principal to other Subscriptions:

Turbonomic 6.4 and higher allows users to use a single Service Principal to automatically discover all the subscriptions it is assigned to. To do so, please repeat the below steps on all subscriptions you wish to manage with Turbonomic.


Important: For Azure EA Customers with Azure Reserved VM instances, it is critical to add all subscription under the EA account to Turbonomic to allow it to effectively manage your RI inventory and maximize your RI utilization and coverage.


First, you will need to locate the Object ID of the Service Principal:

az ad sp list --display-name TurbonomicSP

Locate the "ObjectId" section in the output (or run the above command and append '| grep objectId' for example:

az ad sp list --display-name TurbonomicSP | grep objectId


To assign the Service Principal to another subscription (using either Contributor, Owner or the Custom role of 'Reader' + 'Storage Account Contributor') please run:

az role assignment create --assignee [SP_ObjectId} --role contributor --scope /subscriptions/{SubID}

If no issues occured you should see an output similar to the below:

Repeat the above command to assign the service principal to other subscriptions in the Azure account by replacing the subscription ID only.


Adding Azure Target in Turbonomic:

  1. Access your Turbonomic server UI and head to Settings > Target Configuration
  2. Click on New Target (from the top right corner) > Cloud Management and in the new window select Azure

  3. In the new Window enter the following:
    1. Display Name: enter any name you wish
    2. Azure Cloud Type: leave at Global unless you are using the Azure Germany Cloud (assuming you've created the SP while being set to this cloud)
    3. Directory (Tenant) ID: enter the "tenant" value which was shown when the Service Principal was created
    4. Application (Client) IDenter the "appId" value which was shown when the Service Principal was created
    5. Client Secret Keyenter the "password" value which was shown when the Service Principal was created
    6. If Turbonomic is behind a proxy please provide the needed details to allow it to connect to Azure (Proxy Host, Port, User, and Password)
  4. Click Add 


Turbonomic will first attempt to validate the information against Azure and once validated it will start full discovery, please allow a few minutes for the process to complete, time varies based on the size of the Azure deployment.


Enabling Basic Metrics

Now that you've added Azure as a target, if you'd like Turbonomic to collect Memory utilization values for each VM, please enable Basic Metrics. More Details.


Firewall Requirements