Authenticating via Service Principal

Skip this if using a User account as recommended.

1. Navigate to the Azure Portal and sign in to your tenant.
2. Search for Entra ID and open it.
3. Copy the Tenant ID field and save it somewhere safe, making a note it is the ARM_TENANT_ID.
4. Click App registrations in the left navigation.
5. Click + New registration.
6. Choose a name (SPN) that you will remember and make a note of it, we recommend using sp-alz-bootstrap.
7. Type the chosen name into the Name field.
8. Leave the other settings as default and click Register.
9. Wait for it to be created.
10. Copy the Application (client) ID field and save it somewhere safe, making a note it is the ARM_CLIENT_ID.
11. Click Certificates & secrets in the left navigation.
12. Ensure the Client secrets tab is selected and click + New client secret.
13. Enter ALZ Bootstrap in the Description field.
14. Change the Expires field, choose Custom.
15. Set the Start field to todays date.
16. Set the End field to tomorrows date.
17. Click Add.
18. Copy the Value field save it somewhere safe, making a note that it is the ARM_CLIENT_SECRET.

1. The service principal name (SPN) is the username of the User account or the name of the app registration you created.
2. Search for Subscriptions and click to navigate to the subscription view.
3. For each of the subscriptions you created in the previous step:
   1. Navigate to the subscription.
   2. Click Access control (IAM) in the left navigation.
   3. Click + Add and choose Add role assignment.
   4. Choose the Privileged administrator roles tab.
   5. Click Owner to highlight the row and then click Next.
   6. Leave the User, group or service principal option checked.
   7. Click + Select Members and search for your SPN in the search box on the right.
   8. Click on your User to highlight it and then click Select and then click Next.
   9. Click the Allow user to assign all roles (highly privileged) option.
   10. Click Review + assign, then click Review + assign again when the warning appears.
   11. Wait for the role to be assigned and move onto the next subscription.
4. Search for Management Groups and click to navigate to the management groups view.
5. Click the parent management group you plan to deploy the Landing Zone into (this could be Tenant Root Group or a new management group you created).
6. Click Access control (IAM) in the left navigation.
7. Click + Add and choose Add role assignment.
8. Choose the Privileged administrator roles tab.
9. Click Owner to highlight the row and then click Next.
10. Click Next.
11. Leave the User, group or service principal option checked.
12. Click + Select Members and search for your SPN in the search box on the right.
13. Click on your User to highlight it and then click Select.
14. Click Review + assign, then click Review + assign again when the warning appears.
15. Wait for the role to be assigned and you are done with this part.

1. Open a new PowerShell Core (pwsh) terminal.
2. Find the ARM_TENANT_ID you made a note of earlier.
3. Type $env:ARM_TENANT_ID="<tenant id>" and hit enter.
4. Find the ARM_CLIENT_ID you made a note of earlier.
5. Type $env:ARM_CLIENT_ID="<client id>" and hit enter.
6. Find the ARM_CLIENT_SECRET you made a note of earlier.
7. Type $env:ARM_CLIENT_SECRET="<client id>" and hit enter.
8. Find the subscription id of the management subscription you made a note of earlier.
9. Type $env:ARM_SUBSCRIPTION_ID="<subscription id>" and hit enter.

If you close your PowerShell prompt prior to running the bootstrap, you need to re-enter these environment variables.

Return to Phase 1 step version control systems.