An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a single tenant or directory. It functions as the identity of the application instance. Service principals define who can access the application, and what resources the application can access. A service principal is created in each tenant where the application is used and references the globally unique application object. The tenant secures the service principal’s sign in and access to resources.
A multi-tenant application is
homed in a single-tenant (home tenant) and is designed to have instances in
other tenants. Most software-as-a-service (SaaS) applications are designed for
multi-tenancy. Use service principals to ensure the right security posture for
the application and its users in both single-tenant and multi-tenant use cases.
Application registration
When you register your application with Azure AD, you're
creating an identity configuration for your application that allows it to
integrate with Azure AD. When you register an app in the Azure portal, you
choose whether it's a single-tenant (only accessible in your tenant) or
multi-tenant (accessible in other tenants) and can optionally set a redirect
URI (where the access token is sent to).
When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID).
If you register an application in the portal, an application object, as well as a service principal object, are automatically created in your home tenant.
Application object
An Azure AD application is
defined by its one and only application object, which resides in the Azure AD
tenant where the application was registered (known as the application's
"home" tenant). An application object is used as a template or
blueprint to create one or more service principal objects. A service principal
is created in every tenant where the application is used.
The application object describes
three aspects of an application.
1.
How the service can issue tokens in order to
access the application.
2.
Resources that the application might need to
access.
3. The actions that the application can take.
Application Id
ApplicationId will be same for single application object
that represents this application as well as it will be same for all service
principals created for this application.
Object Id
ObjectId will be a unique value for application object
and each of the service principal. This uniquely identifies the object in Azure
AD.
Service principal object
To access resources that are
secured by an Azure AD tenant, the entity that requires access must be
represented by a security principal. This requirement is true for both users
(user principal) and applications (service principal). The security principal
defines the access policy and permissions for the user/application in the Azure
AD tenant. This enables core features such as authentication of the
user/application during sign-in, and authorization during resource access.
There are three types of service
principal
1. Application- The type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory.
2. Managed identity- This type of service principal is used to represent a managed identity. It is used for “linking” a Service Principal security object to an Azure Resource like a Virtual Machine, Web App, Logic App or similar. If you want to learn more about it, you can read my previous blog.
3. Legacy- This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences.
Hope it will help you to understand service principle and
in a future blog, we will use them
Keep sharing keep learning
No comments:
Post a Comment