Beginner

Azure Service Principal Setup

Create and configure an Azure service principal for deploying to Microsoft Azure

15 minutesLast updated: November 2025

What you'll learn

How to create an Azure service principal
Required roles for deployment automation
How to get Client ID, Client Secret, Tenant ID, and Subscription ID
How to connect Azure to Focal Deploy

Prerequisites

A Microsoft Azure account (free tier available)
An active Azure subscription with billing enabled
Owner or Contributor permissions on the subscription

Open Azure Portal

Navigate to the Azure Portal and sign in with your Microsoft account.

Open App Registrations

Register a New Application

In the Azure Portal, search for "App registrations"
Click "+ New registration"
Enter name: focal-deploy
Select "Accounts in this organizational directory only"
Leave Redirect URI empty (not needed)
Click "Register"

Note: After registration, you'll see the Application (client) ID and Directory (tenant) ID. Copy these - you'll need them later!

Create a Client Secret

In your app registration, go to "Certificates & secrets"
Click "+ New client secret"
Enter description: Focal Deploy Secret
Select expiration: 24 months (recommended)
Click "Add"

CRITICAL: Copy Secret Value Immediately!

The secret value is only shown once. Copy it immediately and store it securely.

Never commit to Git
Never share publicly
Store in a password manager

Get Your Subscription ID

In Azure Portal, search for "Subscriptions"
Click on your subscription
Copy the Subscription ID from the overview page

Open Subscriptions

Assign Contributor Role

Grant the service principal access to your subscription:

Go to your Subscription in Azure Portal
Click "Access control (IAM)" in the left menu
Click "+ Add" → "Add role assignment"
Select role: "Contributor"
Click "Next"
Click "+ Select members"
Search for focal-deploy
Select it and click "Select"
Click "Review + assign"

Contributor Role

Allows creating and managing VMs, VNets, NSGs, and storage

Optional: For more restrictive access, you can create a custom role with only the permissions needed for VM deployments.

Collect Your Credentials

You should now have the following four pieces of information:

Subscription ID

From Step 4

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Tenant ID (Directory ID)

From Step 2 - App Overview

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Client ID (Application ID)

From Step 2 - App Overview

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Client Secret

From Step 3

••••••••••••••••••••

Add to Focal Deploy

Log in to your Focal Deploy dashboard
Navigate to Settings → Cloud Providers
Click "Add Azure Credentials"
Enter your Subscription ID
Enter your Tenant ID
Enter your Client ID
Enter your Client Secret
Click "Test Connection" to verify
Click "Save Credentials"

Success! Your Azure credentials are securely stored and encrypted. Ready to deploy to Microsoft Azure!

Alternative: Azure CLI Method

If you have Azure CLI installed, you can create a service principal with a single command:

az ad sp create-for-rbac --name "focal-deploy" --role contributor \
  --scopes /subscriptions/{subscription-id} \
  --sdk-auth

Replace {subscription-id} with your actual subscription ID. This command outputs all credentials in JSON format.

Security Best Practices

DO

Use separate service principals per environment
Rotate client secrets every 12-24 months
Use the principle of least privilege
Enable Azure AD audit logging
Monitor service principal sign-ins

DON'T

Use your personal Azure credentials
Share service principal credentials
Commit credentials to Git repositories
Give Owner role (Contributor is sufficient)
Use the same credentials across apps

Next Steps

Deploy Your First App

Now that your Azure credentials are set up, deploy your first application to Microsoft Azure.

Add AWS Too

Deploy to multiple clouds? Set up your AWS IAM credentials for maximum flexibility.

Need help? Contact support or join our Discord