A service principal with Contributor, User Access Administrator, Private DNS Zone Contributor and Network Contributor rights needs to be generated for authentication and authorization from GitHub or Azure DevOps to your Azure subscription. This is required to deploy resources to your environment.
Note: The number of role assignments can be further reduced in a production scenario. The Network Contributor role assignment is just required in this repository to automatically setup the VNet peering between the data management landing zone and the data landing zone. Without this, DNS resolution will not work and in- and outbound traffic will be dropped because there is no line of sight to the Azure Firewall. The Private DNS Zone Contributor is also not required if the deployment of DNS A-records of the Private Endpoints is automated through Azure Policies with
deployIfNotExistseffect. The same is true for the User Access Administrator because some of the deployment can be automated usingdeployIfNotExistspolicies.
First, go to the Azure Portal to find the ID of your subscription. Then start the Cloud Shell or Azure CLI, login to Azure, set the Azure context and execute the following commands to generate the required credentials:
Azure CLI:
# Replace {service-principal-name} and {subscription-id} with your
# Azure subscription id and any name for your service principal.
az ad sp create-for-rbac \
--name "{service-principal-name}" \
--role "Contributor" \
--scopes "/subscriptions/{subscription-id}" \
--sdk-authThis will generate the following JSON output:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}Note: Take note of the output. It will be required for the next steps.
Azure PowerShell:
# Ensure you are in the right subscription
Set-AzContext -Subscription "{SubscriptionId or SubscriptionName}"
# Create service principal
$sp = New-AzADServicePrincipal -DisplayName {name}
$sp.PasswordCredentials.SecretTextThe returned object contains the generated password. Make sure that you store this value somewhere secure to authenticate with the service principal.
Note: Beginning with Az PowerShell module version 7.x,
New-AzADServicePrincipalno longer assigns the Contributor role to the service principal by default. Follow steps below to grant it theContributorrole.
For automation purposes, more role assignments are required for the service principal. Additional required role assignments include:
| Role Name | Description | Scope |
|---|---|---|
| Private DNS Zone Contributor | We expect you to deploy all Private DNS Zones for all data services into a single subscription and resource group. Therefor, the service principal needs to be Private DNS Zone Contributor on the global dns resource group which was created during the Data Management Landing Zone deployment. This is required to deploy A-records for the respective private endpoints. | (Resource Group Scope) /subscriptions/{datamanagement-subscriptionId}/resourceGroups/{resourceGroupName} |
| Network Contributor | In order to setup VNet peering between the Data Landing Zone VNet and the Data Management Landing Zone VNet, the service principal needs Network Contributor access rights on the resource group of the remote VNet. | (Resource Group Scope) /subscriptions/{datamanagement-subscriptionId}/resourceGroups/{resourceGroupName} |
| User Access Administrator | Required to share the self-hosted integration runtime that gets deployed into the integration-rg resource group with other Data Factories, like the one in the shared-integration-rg resource group, the service principal needs User Access Administrator rights on the Data Factory that gets deployed into the integration-rg resource group. It is also required to assign the Data Factory and Synapse managed identities access on the respective storage account file systems. |
(Resource Scope) /subscriptions/{datalandingzone-subscriptionId} |
| Reader | Required to read properties of the Purview account from the Data Management Landing Zone and then grant the managed identity of Purview Reader and Storage Blob Data Reader rights on the subscription. | (Resource Scope) /subscriptions/{{datamanagement-subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Purview/accounts/{purviewAccountName} |
To add these role assignments, you can use the Azure Portal or run the following commands using Azure CLI/Azure Powershell:
Azure CLI - Add role assignments:
# Get Service Principal Object ID
az ad sp list --display-name "{servicePrincipalName}" --query "[].{objectId:objectId}" --output tsv
# Add role assignment
# Resource Scope level assignment
az role assignment create \
--assignee "{servicePrincipalObjectId}" \
--role "{roleName}" \
--scopes "{scope}"
# Resource group scope level assignment
az role assignment create \
--assignee "{servicePrincipalObjectId}" \
--role "{roleName}" \
--resource-group "{resourceGroupName}"Azure Powershell - Add role assignments:
# Get Service Principal Object ID
$spObjectId = (Get-AzADServicePrincipal -DisplayName "{servicePrincipalName}").id
# Add role assignment
# For Resource Scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-Scope "{scope}"
# For Resource group scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-ResourceGroupName "{resourceGroupName}"
# For Child-Resource Scope level assignment
New-AzRoleAssignment `
-ObjectId $spObjectId `
-RoleDefinitionName "{roleName}" `
-ResourceName "{resourceName}" `
-ResourceType "{resourceType (e.g. 'Microsoft.Network/virtualNetworks/subnets')}" `
-ParentResource "{parentResource (e.g. 'virtualNetworks/{virtualNetworkName}')" `
-ResourceGroupName "{resourceGroupName}Previous Next (Option (a) GitHub Actions) Next (Option (b) Azure DevOps)