This post is to share a quick and secure way of connecting Github to your Azure Tenancy. Once connected, Github Actions workflows can deploy onto Azure in a seamless and secure manner. There are quite a few ways to connect and they are well documented. However I wanted to share a script that can be used to create a Service Principal on Azure Entra ID and then go onto build a federated credential.

Building the Service Principal

Azure Login

  • Let’s quickly build a service principal on Entra ID. First and foremost, from your terminal of choice, let’s connect to your Azure tenant. For the sake of simplicity, I am going to take the approach of device login - since it would prompt for you to copy the code and login via browser ( This method can be used on a variety of OS’s / Devices)

    az login -use-device-login 

      Screenshot - 1

  • Copy the code that is displayed on the terminal and open a browser to browse to To make the login seamless, you could open on another tab and have it ready.

  • Type the code in the prompt and it should start the authentication process.   Screenshot - 2

  • This should complete the login process back in the terminal as well.   Screenshot - 4

Create Service Principal on Azure

  • You can execute this part as single script from your terminal, once edited with your custom variables

    # Script to deploy Entra ID Service Principal
    $NAME_OF_APP = "NAME_OF_THE_SP" # Provide a custom name for SP
    app=$(az ad app create --display-name $NAME_OF_APP -o json)
    appId=$(echo $app | jq -r '.appId')
    objectId=$(echo $app | jq -r '.id')
    sp=$(az ad sp create --id $appId -o json)
    assigneeObjectId=$(echo $sp | jq -r '.id')
    # Creating the Federated Credentials 
    credentialName=github-deploy # Give a Unique Name for the Credential
    az rest --method POST --uri "$objectId/federatedIdentityCredentials" --body "{\"name\":\"$credentialName\",\"issuer\":\"\",\"subject\":\"repo:organization/repository:environment:main\",\"description\":\"Deploy from GitHub Actions\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
  • Let’s breakdown what is happening with this script:

    • First we create a service principal on Entra ID
    • Then within that SP, we are creating a Federated Credential with details of your gitub repository, github organization and name of the branch that is allowed to execute.   - Screenshot 5
    • You can also edit some of the variables in here as well.   - Screenshot 6
  • Copy the Client ID , Tenant ID from the overview page for your Service Principal. You could also get the Subscription ID at this point for the next steps.   - Screenshot 7


Ensure that you use your Service Principal to have the right permissions and access at a Management Group / Subscription / Resource Group or Resource Level !

Connecting with Github

  • Browse to your github repository Secrets and Variables sections to add some secrets as shown below. This is available at   - Screenshot 8

  • Enter the secrets for AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID,AZURE_TENANT_ID ( you can use any variable name as long as the secrets are copied properly)

  • Let’s tweak your github actions workflow. Below is a sample code, that logs onto azure using the Repository Secrets from the last step and displays Resource Groups that are hosted within this subscription

    name: azure_github_deployment_pipeline
    on: [push]
          id-token: write
          contents: read
        runs-on: ubuntu-latest
        - name: 'Az CLI login'
          uses: azure/login@v1
              client-id: ${{ secrets.AZURE_CLIENT_ID }}
              tenant-id: ${{ secrets.AZURE_TENANT_ID }}
              subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        - name: 'Run Azure CLI commands'
          run: |
              az account show
              az group list

      - Screenshot 9

Next Steps:

  • That’s pretty much it. This can also be achieved by creating a secret token for the SP. However this would mean expiring tokens.
  • The Github Workflow can be used to do a lot more within your Azure tenant. For example, if you want the deployment across multiple Subscriptions, you can get more Subscription ID’s within your repository secrets and execute against them.