Sunday, August 22, 2021

Azure service principal

An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a single tenant or directory. ‎It functions as the identity of the application instance. Service principals define who can access the application, and what resources the application can access. A service principal is created in each tenant where the application is used and references the globally unique application object. The tenant secures the service principal’s sign in and access to resources.

A multi-tenant application is homed in a single-tenant (home tenant) and is designed to have instances in other tenants. Most software-as-a-service (SaaS) applications are designed for multi-tenancy. Use service principals to ensure the right security posture for the application and its users in both single-tenant and multi-tenant use cases.

Application registration

When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the Azure portal, you choose whether it's a single-tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants) and can optionally set a redirect URI (where the access token is sent to).

When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID).

If you register an application in the portal, an application object, as well as a service principal object, are automatically created in your home tenant.

Application object

An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used.

The application object describes three aspects of an application.

1.       How the service can issue tokens in order to access the application.

2.       Resources that the application might need to access.

3.       The actions that the application can take.

Application Id

ApplicationId will be same for single application object that represents this application as well as it will be same for all service principals created for this application.


Object Id

ObjectId will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD.

Service principal object

To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

There are three types of service principal

1.       Application- The type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory.

2.       Managed identity- This type of service principal is used to represent a managed identity. It is used for “linking” a Service Principal security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar. If you want to learn more about it, you can read my previous blog.

3.       Legacy- This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences.

Hope it will help you to understand service principle and in a future blog, we will use them

Keep sharing keep learning 

No comments:

Post a Comment