Restart Azure VM with PowerShell and Service Principle

# Lazy Reading: This is all you need:
# Install-Module -Name Az -AllowClobber -Scope CurrentUser
# Virtual Machine Contributor on the Azure RG

$tenantId = "YOUR_TENANT_ID"
$clientId = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"
$subscriptionId = "YOUR_SUBSCRIPTION_ID"
$resourceGroupName = "YOUR_RESOURCE_GROUP_NAME"
$vmName = "YOUR_VM_'NAME"

# Authenticate with Azure using the service principal
$securePassword = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
$psCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $clientId, $securePassword
Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $psCred

# Restart the Virtual Machine
Restart-AzVM -ResourceGroupName $resourceGroupName -Name $vmName -Force

# Disconnect from Azure


This script first authenticates with Azure using the provided service principal credentials ($tenantId, $clientId, $clientSecret). Then it connects to the Azure account using the service principal credentials.

After successful authentication, the script restarts the specified virtual machine ($vmName) in the specified resource group ($resourceGroupName) using the Restart-AzVM cmdlet. The -Force parameter is used to automatically confirm the restart operation without prompting for confirmation.

Finally, the script disconnects from the Azure account using the Disconnect-AzAccount cmdlet.

Please ensure that you have the Azure Az module installed on your system to run this script. You can install it using the following command: Install-Module -Name Az -AllowClobber -Scope CurrentUser.

Which Graph permission does the service principal need?

To restart an Azure Virtual Machine using a service principal, the service principal requires the appropriate permissions in Azure Active Directory (AAD) and the Azure subscription.

  1. Azure Active Directory (AAD) permissions:
    • To authenticate as a service principal, the service principal should have the “Application.ReadWrite.All” or “Directory.ReadWrite.All” permission in the AAD.
  2. Azure Subscription permissions:
    • The service principal should be assigned the “Contributor” or “Virtual Machine Contributor” role at the subscription level or have the necessary permissions to restart virtual machines.

How to grant Permissions in AAD:

  1. Grant AAD permissions:
    • Sign in to the Azure portal ( with an account that has the necessary permissions.
    • Go to “Azure Active Directory” in the portal.
    • Select “App registrations” (or “Enterprise applications” in older portal versions) from the left menu.
    • Find and select your registered application (the one representing the service principal).
    • Under “API permissions” or “Permissions“, ensure that the service principal has the required permissions like “Application.ReadWrite.All” or “Directory.ReadWrite.All“.
  2. Grant Subscription permissions:
    • Navigate to the Azure subscription where the virtual machine resides.
    • Select “Access control (IAM)” from the left menu.
    • Click on the “Add” button to add a new role assignment.
    • Select the appropriate role, such as “Contributor” or “Virtual Machine Contributor“.
    • Search and select the registered application (service principal) you want to assign the role to.
    • Click on “Save” to grant the role to the service principal.

By granting the necessary AAD and subscription permissions to the service principal, you will enable it to authenticate and perform the required actions on the Azure Virtual Machine.

Thanks for reading.

Leave a comment