Azure Service Principal Setup Guide for Cloud Sweeper

1. Register an Application in Entra ID

1. Go to the Azure Portal.
2. Navigate to Entra ID > App registrations > New registration.
3. Enter a Name (e.g., CloudSweeper).
4. Leave Redirect URI blank.
5. Click Register.

2. Collect Application Details

• After registration, copy:
  • Application (client) ID (ClientId)
  • Directory (tenant) ID (TenantId)

3. Create a Client Secret

1. In your app registration, go to Certificates & secrets.
2. Click New client secret.
3. Add a description and select an expiration.
4. Click Add.
5. Copy the secret value immediately—it will not be shown again.

4. Create a Custom Role

• In the Azure Portal, go to Subscriptions and select your subscription.
• In the left menu, click Access control (IAM).
• Click the Roles tab, then click + Add > Add custom role.
• On the Basics tab, enter a Name (e.g., CloudSweeper-Role) and an optional description.
• On the Permissions tab, click JSON mode.
• Click Upload and select the az-role-portal.json file provided by Cloud Sweeper.
• Review the permissions and click Next.
• On the Assignable scopes tab, ensure your subscription is selected (the portal will auto-select your current subscription).
• Click Review + create, then Create to finish.
• Note: Cloud Sweeper does not require delete permissions. The role is designed to allow reading, tagging, and updating resources only.

5. Assign the Custom Role to the Service Principal

Using Azure Portal

1. Go to Subscriptions in the Azure Portal.
2. Select your subscription.
3. Go to Access control (IAM) > Add > Add role assignment.
4. Role: Select your custom role (e.g., CloudSweeper-Role).
5. Assign access to: User, group, or service principal.
6. Select: Search for your CloudSweeper app and select it.
7. Click Review + assign.

6. Gather Required Information

• TenantId: Directory (tenant) ID
• ClientId: Application (client) ID
• ClientSecret: The secret you created
• SubscriptionId: Your Azure subscription ID