Skip to main content
Skyhigh Security

Service Principal with a Secret Key and Azure API Integration

Azure Service Principals are an authentication mechanism for Azure instances. An Azure Service Principal is an identity created under Azure Active Directory to work with apps using role-based access controls. For example, when applications, hosted services, or automated tools need to access or modify resources, you can create a service principal and use it to authenticate.

Roles assigned to the service principal allow you to restrict access to resources, so you can control the resources and the level at which they are accessed. You should always use service principals with automated tools rather than allowing the tools to log in with a user identity.

IMPORTANT: Before you begin, contact Support to enable the Azure Service Principal for your tenant.

Configure an Application Registration in the Azure Portal

  1. Log in to the Azure portal using your Office 365 administrator account. Go to https://portal.azure.com/.
  2. Go to Home > App registrations and click New registration.
  3. On Register an application page, configure the below properties:
    • Name. The display name for your application.
    • Supported Account Types. Select Accounts in their Organizational directory only.
    • Redirect URI. Select a platform and enter your Skyhigh CASB environment:  
      1. PROD: https://www.myshn.net/shndash/extensions/offlinedlp_ret.jsp
      2. EUPROD: https://www.myshn.eu/shndash/extensions/offlinedlp_ret.jsp
      3. CAPROD: https://www.myshn.ca/shndash/extensions/offlinedlp_ret.jsp
        clipboard_e6a8730a43c93318bf5a795e2730e8d79.png
  4. To create a new application, click Register.
  5. Confirm the new application's properties are configured correctly, as per step 3.
  6. Copy the Application (Client) ID and Tenant ID for future reference.
    clipboard_e9ad53320715221d1c597d87dd8888492.png
  7. Go to Certificates & secrets > Client secrets tab and click New client secret.
    clipboard_ed26645d0092aba3fb7b0b8fd26b2dffa.png
  8. Enter a description, an expiration date, and click Add.
    clipboard_e84a0d1b8d8fa6830fb7c85636d83babf.png
  9. Copy the Secret Value for future reference.
    clipboard_e5d40fea8f3770079c2f23e695ad30426.png
  10. Select the existing subscriptions from the options to add new service principal to the existing subscriptions. This gives the service principal access to the resources within those subscriptions.
    clipboard_ea954ab2b3cc0e32c66d86c6002eead0f.png
  11. Go to Subscription.
  12. Click Access Control (IAM) on the left side bar, then click the Role assignments tab.
    clipboard_ee1042574fd87f4d55a3ebbb185272469.png
  13. Click Add > Add role assignment.
    clipboard_edeb7a8aaaa802593a356c0ba155c97d1.png
  14. On the Add role assignment page, select the required role and click Next.
    clipboard_e0397c736f5fe21665c37e5a36f640af4.png
  15. On the Members tab, click +select members to open the Select members pane. Select the member from the option and click Select
    clipboard_eb9c2dbb86f9ec08d77151cb54a03bc0b.png
  16. Click Review + assign.
    clipboard_e905a565374b658cdfd9ff3c7f57d016a.png

Follow the same steps for any other subscriptions you may have.

Create Azure Service Instance Using Service Principal in Skyhigh CASB

  1. In Skyhigh CASB go to Settings > Service Management
  2. Select your Azure instance or create a new one.  
  3. When you provide API credentials, enter the Client ID, Client Secret, and Tenant ID you saved from the previous steps. 
  • Was this article helpful?