Merge pull request #313171 from KimForss/main

prmerger-automator[bot] · web-flow · commit a178d6467861 · 2026-03-15T22:24:04.000Z
Revise control plane deployment instructions
diff --git a/articles/sap/automation/deploy-control-plane.md b/articles/sap/automation/deploy-control-plane.md
@@ -4,7 +4,7 @@ description: Overview of the control plane deployment process in SAP Deployment
 author: kimforss
 ms.author: kimforss
 ms.reviewer: kimforss
-ms.date: 12/15/2023
+ms.date: 03/15/2026
 ms.topic: how-to
 ms.service: sap-on-azure
 ms.subservice: sap-automation
@@ -23,13 +23,22 @@ The control plane deployment for [SAP Deployment Automation Framework](deploymen
 
 ## Prepare the deployment credentials
 
-SAP Deployment Automation Framework uses service principals for deployments. To create a service principal for the control plane deployment, use an account that has permissions to create service principals:
+SAP Deployment Automation Framework uses eithe managed identities (recommended) or service principals for deployments. To create a service principal for the control plane deployment, use an account that has permissions to create service principals:
 
 ```azurecli
 az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscriptionID>" --name="<environment>-Deployment-Account"
   
 ```
 
+To create a managed identity use the following script:
+
+```azurecli
+az identity create --name "<environment>-Deployment-Identity" --resource-group $ResourceGroupName --location $Location  --query "{id:id, principalId:principalId, clientId:clientId}" 
+
+az role assignment create --assignee-object-id <principalId> --role "Contributor" --scope /subscriptions/<subscriptionID>  
+```
+
+
 > [!IMPORTANT]
 > The name of the service principal must be unique.
 >
@@ -38,7 +47,7 @@ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscrip
    > - password
    > - tenant
 
-Optionally, assign the following permissions to the service principal:
+Optionally, assign the following permissions to the service principal or managed identity:
 
 ```azurecli
 az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<subscriptionID>
@@ -185,6 +194,14 @@ cd ~/Azure_SAP_Automated_Deployment/WORKSPACES
 deployer_parameter_file="${CONFIG_REPO_PATH}/DEPLOYER/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE/${env_code}-${region_code}-${vnet_code}-INFRASTRUCTURE.tfvars"
 library_parameter_file="${CONFIG_REPO_PATH}/LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars"
 
+#When using managed identity use:
+${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh  \
+    --deployer_parameter_file "${deployer_parameter_file}"         \
+    --library_parameter_file "${library_parameter_file}"            \
+    --subscription "${ARM_SUBSCRIPTION_ID}"                        \
+    --msi
+
+#When using a service principal use:
 ${SAP_AUTOMATION_REPO_PATH}/deploy/scripts/deploy_controlplane.sh  \
     --deployer_parameter_file "${deployer_parameter_file}"         \
     --library_parameter_file "${library_parameter_file}"            \
