Creating SPN (Service Principal Name) is been very easy with PowerShell nowadays. This will be useful when you deploy any Resources to Azure from TFS.

There is a good article which helps you to get started with here

Here is the Powershell script to create SPN that is provided by Microsoft.

However, for the cases like who having multiple Azure Subscription with the Same Name, this will not work as expected. So I've modified the script to support multiple Subscription that having same Subscription Name but the subscription Id will always be different(since it's a GUID)


Parameters for the Script 

The Script required 5 parameters:


subscriptionName - Name of the Azure Subscription

E.g, Visual Studio Enterprise: BizSpark

subscriptionId - The Unique ID for the subscription

E.g, 8de94b60-3a97-4dc7-9ec4-12a33ecf0f94

azureAccountName - Email of the user to connect the Azure Subscription(See below Note)


azurePassword- Password for the Above Email

SPNApplicationPassword- Password for SPN application that you would like to create


Note: The azureAccountName which you provide for to run the script should be Owner of the Azure RM Subscription


PowerShell Workflow
    [Parameter(Mandatory=$true, HelpMessage="Enter Azure Subscription name. You need to be Subscription Admin to execute the script")] 
    [string] $subscriptionName, 
    [Parameter(Mandatory=$true, HelpMessage="Enter Azure Subscription name. You need to be Subscription Admin to execute the script")] 
    [string] $subscriptionId, 
    [Parameter(Mandatory=$true, HelpMessage="Enter Azure Subscription name. You need to be Subscription Admin to execute the script")] 
    [string] $azureAccountName, 
    [Parameter(Mandatory=$true, HelpMessage="Enter Azure Subscription name. You need to be Subscription Admin to execute the script")] 
    [Security.SecureString] $azurePassword, 
    [Parameter(Mandatory=$true, HelpMessage="Provide a password for SPN application that you would create")] 
    [Security.SecureString] $SPNApplicationPassword, 
    [Parameter(Mandatory=$false, HelpMessage="Provide a SPN role assignment")] 
    [string] $spnRole = "owner", 
    [Parameter(Mandatory=$false, HelpMessage="Provide Azure environment name for your subscription")] 
    [string] $environmentName = "AzureCloud" 
$ErrorActionPreference = "Stop" 
$VerbosePreference = "SilentlyContinue" 
$userName = $env:USERNAME 
$newguid = [guid]::NewGuid() 
$displayName = [String]::Format("VSO.{0}.{1}"$userName$newguid$homePage = "http://" + $displayName 
$identifierUri = $homePage 
#Initialize subscription 
$isAzureModulePresent = Get-Module -Name AzureRM* -ListAvailable 
if ([String]::IsNullOrEmpty($isAzureModulePresent-eq $true) 
    Write-Output "Script requires AzureRM modules to be present. Obtain AzureRM from Please refer for recommended AzureRM versions." -Verbose 
$psCred = New-Object -TypeName System.Management.Automation.PSCredential($azureAccountName$azurePassword) 
Import-Module -Name AzureRM.Profile 
Write-Output "Provide your credentials to access Azure subscription $subscriptionName" -Verbose 
Login-AzureRmAccount  -Credential $psCred -TenantId "2853b1b6-d597-41d0-b560-327e30ffec7d" -SubscriptionId $subscriptionId 
$azureSubscription = Get-AzureRmSubscription -SubscriptionId $subscriptionId 
$connectionName = $azureSubscription.SubscriptionName 
$tenantId = $azureSubscription.TenantId 
$id = $azureSubscription.SubscriptionId 
#Create a new AD Application 
Write-Output "Creating a new Application in AAD (App URI - $identifierUri)" -Verbose 
$azureAdApplication = New-AzureRmADApplication -DisplayName $displayName -HomePage $homePage -IdentifierUris $identifierUri -Password $SPNApplicationPassword -Verbose 
$appId = $azureAdApplication.ApplicationId 
Write-Output "Azure AAD Application creation completed successfully (Application Id: $appId)" -Verbose 
#Create new SPN 
Write-Output "Creating a new SPN" -Verbose 
$spn = New-AzureRmADServicePrincipal -ApplicationId $appId 
$spnName = $spn.ServicePrincipalName 
Write-Output "SPN creation completed successfully (SPN Name: $spnName)" -Verbose 
Start-Sleep -s 15 
#Assign role to SPN 
Write-Output "Waiting for SPN creation to reflect in Directory before Role assignment" 
Start-Sleep 20 
Write-Output "Assigning role ($spnRole) to SPN App ($appId)" -Verbose 
New-AzureRmRoleAssignment -RoleDefinitionName $spnRole -ServicePrincipalName $appId 
Write-Output "SPN role assignment completed successfully" -Verbose 
#Print the values 
Write-Output "`nCopy and Paste below values for Service Connection" -Verbose 
Write-Output "***************************************************************************" 
Write-Output "Connection Name: $connectionName(SPN)" 
Write-Output "Subscription Id: $subscriptionId" 
Write-Output "Subscription Name: $subscriptionName" 
Write-Output "Service Principal Id: $appId" 
Write-Output "Service Principal key: <Password that you typed in>" 
Write-Output "Tenant Id: $tenantId" 
Write-Output "***************************************************************************"