Create a Microsoft Azure service principal

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read

    • To securely access resource and billing data on your Microsoft Azure account, the Discovery process must present appropriate Microsoft Azure account credentials. You create a special programmatic account — a Microsoft Azure service principal — to generate the required credentials.

    Before you begin

    Roles required:
    • discovery_admin, service_mapping_admin, sn_cmp.cloud_admin roles in Cloud Provisioning and Governance or sn_cloud_ops_ws.cloud_ops_admin role in Cloud Discovery Workspace.
    • Operations on the Microsoft Azure portal require one of the following roles:
      • Azure or Azure AD (Active Directory) Administrator
      • Application Administrator
      • Application Developer
      • Cloud Application Administrator
      and the Resource Policy Contributor role to create or modify resource policies.
    • Enable internal network connection between the MID Servers and the Azure Cloud API endpoints:
      • The US GovCloud URL is https://management.usgovcloudapi.net/.
      • The commercial Azure Cloud URL is management.azure.com.
        Note:
        It isn't necessary when adding a credential if the account being added is already a GovCloud account.

    Procedure

    1. Log in to the Azure portal and navigate to Azure Active Directory.
    2. Navigate to the App registrations section and click New application registration.
      Enter the following information for your application:
      Register an application
      Field Description
      Name Unique name for the application and its integration credentials. For example, ServiceNow Integration.
      Supported account types Specify who can use the application.
      Redirect URI (Optional) URL that will access Azure. Typically the URL of the ServiceNow instance.
    3. Select Register to complete the app registration.
    4. When registration completes, copy the Application (client) ID and Directory (tenant) ID values, and paste them in the text editor.
    5. Label the values Application ID and Directory ID respectively.
    6. In the Azure portal, navigate to the Certificates & secrets section and New client secret then specify the following values:
      Field Description
      Key description Description for the key.
      Duration Expiration for the key.
      Note:
      Your organization may apply policies to restrict key durability. Select the appropriate duration.
    7. Click Add.
    8. Copy and paste the key value into the text editor and label the value Application key.
    9. To enable the service principal to work with various Azure subscriptions, navigate to Subscriptions.
      To manage multiple subscriptions, you must perform the following procedure for each subscription:
      1. Paste the subscription ID into the text editor and label it Subscription ID.
        The text file that you generate during this procedure might look something like this: Text file that temporarily holds Azure service principal credential values
      2. Navigate to the subscription and select Access Control (IAM) from the menu.
      3. Click + Add at the top of the screen then Add role assignment.
      4. Select the value reader from the Role field.
        Let the default value User, group, or service principal remain as is in the Assign access to field.
        Note:
        The Resource policy contributor role is only required for provisioning.
      5. Select the name you created in step 2 in the Select field and click Save.
        Add role assignment
    10. Perform the appropriate action.
      • If you are not using Cloud Discovery through Cloud Discovery Workspace, do the following:

        In the Discovery Manager, click the plus icon (+) and then select Azure Service Principal from the list.

      • If you are using Cloud Discovery through Cloud Discovery Workspace, do the following:
        1. Navigate to All > Connections & Credentials > Credentials.
        2. Select New.
        3. Select Azure Service Principal.
    11. Specify the following values on the Azure Service Principal form:
      Field Value
      Name Name of the service principal to register with the instance. For example, Azure service principal credentials.
      Authentication Method Select Client secret.

      The Secret key field appears when you select Client secret.

      Note:
      Client assertion is not supported.
    12. Copy and paste values from the temporary text file into the remaining fields.
      Azure credentials
      Credentials form field Azure Service Principal value
      Tenant ID Azure Directory ID value from the text file.
      Client ID Azure Application ID value from the text file.
      Secret key Azure Application key value from the text file.
    13. Click Save to create the Azure service principal.
    14. Click the Discover Subscriptions related link to find all subscriptions for the Azure service principal.
      The instance creates a service account for each discovered subscription. The Azure Subscriptions related list displays all subscriptions for the Azure service principal.
    15. Click a subscription to view the service account created for the subscription.
    16. Click a Discovery status entry in the Credential Discovery Status list to view the Discovery log.
      Each time you click Discover Subscription, the instance generates a new Discovery status and displays it in the Credential Discovery Status list.

    What to do next

    Cloud Provisioning and Governance only: Create a record of the service principal credentials on the ServiceNow instance so that Cloud Provisioning and Governance processes can access Microsoft Azure data. See Store the Azure service principal credentials in the instance.