Python is a language designed for quick results and straight forward coding. Azure provides a comprehensive SDK for Python for both Classic and Resource Manager services. To get started with Python on Azure, we need to make sure Python can talk to our Azure subscription.

If we want to manage Resource Manager services, we need to create an Azure Active Directory app, log into it, and use it to gain access to our subscription.

I will step through the process in this post.

Accessing Azure Resource Manager (ARM) deployments using Python

For Azure Resource Manager deployments, we will have to access Azure through an Azure AD app. To access the Azure Active Directory for our subscription we can go to More Services > Active Directory in the portal.

Once in the directory we need to choose Applications > Add > Add an application my organisation is developing.

We will have to provide an application name and a unique sign on URI. This URI does not need to exist. Once the app is created we should navigate to the Configure tab.

Once the application is created we will see its Client ID, which is one of the pieces of information we will need to authenticate via the app.


Next we need to generate a key or client secret. This can be done via the UI and we can pick a duration for the validity of our key. The key will not be visible if we return to the Configure tab after the session, so we should make sure that we copy it right now and keep it in a safe place.


The last piece of information is the tenant ID or endpoint ID. We can get this by clicking “View Endpoints”. The tenant ID is highlighted in the screenshot below:


Having this information would now enable us to authenticate with the app via Python. This would not be much use to us yet, though, because the app does not have any permissions to access or edit resources in our subscription.

To give it the right permissions we need to remain in the Configure tab and edit the “Permissions to other Applications”.

We need to choose Add an application > Microsoft apps > Azure Service Management API > Tick, which will add the Azure REST API in the field of the Configure tab.

It’s important to ensure that the delegation option is picked.

Delegations in Azure AD

Our app can now use the Azure REST API, but has still not got any permissions to actually change any of the resources we have in our subscription.

To enable this, we need to head back to the portal. Once in the Azure portal we can select a resource group, a single resource, or – if required – the entire subscription and choose “Users” or “Access Control” to bring up the following screen:

RBAC in new Azure portal

Once in this screen we should hit “Add” and then pick our Azure AD app as a user. Once added we can give it the required permissions to edit our resources.

Now that all required set up steps are completed we can use the information previously collected to log in using Python.

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from import StorageManagementClient
from import NetworkManagementClient
from azure.mgmt.compute import ComputeManagementClient

subscription_id = 'eeeeeeee-bbbb-zzzz-yyyy-xxxxxxxxxxxxx'
credentials = ServicePrincipalCredentials(client_id='eeeeeeee-bbbb-zzzz-yyyy-xxxxxxxxxxxxx',secret='xXxXxXxXxXxXyYyYyYyYyYyYyYzZzZzZzZzZzZ',tenant='eeeeeeee-bbbb-zzzz-yyyy-xxxxxxxxxxxxx')

resource_client = ResourceManagementClient(credentials, subscription_id)
compute_client = ComputeManagementClient(credentials, subscription_id)
storage_client = StorageManagementClient(credentials, subscription_id)
network_client = NetworkManagementClient(credentials, subscription_id)

Further documentation along with options to accomplish the same thing in Azure CLI or PowerShell:

SDK Reference

Code examples

API Reference