If you deploy Hydra as much as I do, you know that the Resource Service Principal (the one you input when you add a tenant into Hydra) is a bit of a chore. After you create it, you typically create custom roles, add constraints, add Graph permissions, and assign the roles as needed. It takes a bit of time!
To help with this, I created a script that automates this entire process. The account that signs in must have both owner of the subscription/RG and, if granting/consenting Graph permissions, Entra admin permissions as well.
The output will look something like this. Notice that you can then copy the Tenant ID, App ID, and Secret into Hydra when adding a new tenant. Everything should work like a charm, and the process goes from many minutes to seconds without the potential for human error!
One funny thing I noticed – you actually can’t view the secrets created with this method (using the New-AzADSpCredential) within the Azure Portal. You can only view them using Get-AzADSpCredential. Not sure what the deal with that is (probably the weird blurry line of SP vs registered app), but be aware of that.
The script can be found in my ever-growing Hydra Automations repository – enjoy and reach out if you have issues or questions!