How to Create a Service Principal for Azure Virtual WAN

For the firewall to authenticate to the Azure Virtual WAN APIs that enable automated connectivity, a registered app must be created. The registered app requires the following information:

• Tenant ID
• Subscription ID
• User ID / Application ID / Client ID
• Key / Client Password

Before You Begin

• Create a resource group in Microsoft Azure. This resource group must contain your virtual WAN later. Otherwise, the firewall will not have sufficient permissions to authenticate to Azure Virtual WAN APIs that enable automated connectivity.

Step 1. Get the Tenant ID

1. Log into the Azure portal: https://portal.azure.com
2. Expand the All services menu on the left, or search for Microsoft Entra ID.
3. Select Microsoft Entra ID.
4. In the left menu of the Microsoft Entra ID blade, click Properties.
5. Copy the Tenant ID. This is the Tenant ID of your service principal.
   
   

Step 2. Create New App Registration

1. Log into the Azure portal: https://portal.azure.com  
2. In the left menu of the Microsoft Entra ID blade, click App registrations.  
3. Click New registration.
   
   
4. The Register an application blade opens.
   
   • Name – Enter a name for the application registration.
   • Supported account types – Select Accounts in this organizational directory only (<your_directory_name> only - Single tenant).
   • Redirect URI (optional) – Select Web from the drop-down menu and enter a random, unique URI. E.g., https://localhost:432
    
5. Click Register.
   

Copy the Application (client) ID: This is the Client ID for your service principal information.

Step 3. Create the Service Principal Key

For the app registration, create a service principal key to authenticate.  

1. Log into the Azure portal: https://portal.azure.com  
2. Expand the All services menu on the left, or search for Microsoft Entra ID.
3. Select Microsoft Entra ID.
4. In the left menu of the Microsoft Entra ID blade, click App registrations.
5. Click on the registered app created in Step 2. The Registered app blade opens.
6. Click Certificates & secrets. The Certificates & secrets blade opens.
7. In the Client secrets section, click New client secret.
   
8. The Add a client secret blade opens.
   • Description – Enter a name for the service principal key.
   • Expires – Select Never expires.
9. Click Add.

10. The key is now displayed in the Value column. Click on the copy icon to copy the key to your clipboard. This is your Client Password.
    

    

    Note that you must copy the key before reloading the page because it is no longer displayed afterwards.

Step 4. Assign the Appropriate Roles to the Registered App

1. Log into the Azure portal: https://portal.azure.com  
2. Expand the All services menu on the left, or search for Resource Groups.
3. Click Resource groups.
4. Select the resource group that will contain your virtual WAN later.
   
5. Click Access control (IAM).
   
   
6. Click +Add and select Add role assignment from the list.
      
   
7. For Role, select Storage Blob Data Owner from the list.
8. For Assign access to, select User, group, or service principal.
9. For Select, enter the name of the registered app created in Step 2 (doc-vwan-sp) and click on the corresponding entry of the list.
   
10. Click Save to save your configuration.
11. Repeat Step 4 and add the following roles:
    • Network Contributor
    • Storage Account Key Operator Service Role
    • Storage Account Contributor
12. Continue with Step 5.

Step 5. Get the Subscription ID

1. Log into the Azure portal: https://portal.azure.com    
2. Select Subscriptions.  
3. Copy the Subscription ID in the Subscription ID column.
    
   

Next Steps

You can now configure automated connectivity for Azure Virtual WAN.

For more information, see How to Configure Automatic Connectivity to Azure Virtual WAN.