New ASC Recommendation: Replace Management Certificates with Service Principals

In the days of the Azure Classic Deployment model, management certificates were the only method for automated applications and deployment. In recent years, various alternatives have been added, including Service Principals.

Subscription management certificates allow you to authenticate with the Service Management API (RDFE) provided by Azure classic. Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services.

Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise.

Because many people are unaware of this or have forgotten that management certificates were ever configured, Microsoft added a new Azure Security Center recommendation: “Service principals should be used to protect your subscriptions instead of Management Certificates“, which advises you to use Service Principals or Azure Resource Manager to more securely manage your subscriptions.

The steps to create a service principal are described for PowerShell and the Azure Portal

After this you can delete the existing management certificates you would like to replace with the service principals you created (Azure Portal > Subscription > Subscription Name > Settings > Management Certificates)

For more information about this recommendation see the following documentation: