Share via

AAD Service User or Enterprise App / App registration - what to prefer?

StephanG 846 Reputation points
2021-03-17T12:25:54.67+00:00

Hi everyone,

after moving to the cloud more and more "extra" solutions are deployed into our tenant.
Some of them use "service user" (license needed) and some of them leverage "enterprise apps" - some use both.

How to best secure these service user and apps? And is there a best practice - what to use?
I am no developer so i have no clue how to best develop integrations into the M365 environment.

BR
Stephan

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,316 Reputation points Microsoft Employee Moderator
    2021-03-17T12:54:43.067+00:00

    @StephanG Here is the difference :

    All applications that get registered in AAD, in the tenant, two types of objects get created once the app registration is done.

    • Application Object
    • Service Principal Object

    The Application Object is what you see under App Registrations in AAD. This object acts as the template where you can go ahead and configure various things like API Permissions, Client Secrets, Branding, App Roles, etc. All these customizations that you make to your app, get written to the app manifest file. The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.

    The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object (created through the Azure Portal or using the Microsoft Graph APIs, or AzureAD PS Module) would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

    Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

    Read more.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments
  2. StephanG 846 Reputation points
    2021-03-17T12:57:59.287+00:00

    Thanks for the quick response.. but that i already found.

    I meant that some of the deployed solutions use "real AAD user accounts" - e.g ******@mytenant.onmicrosoft.com
    How to best secure them?

  3. StephanG 846 Reputation points
    2021-03-22T20:14:39.217+00:00

    Thanks @VipulSparsh-MSFT we have done that for all our normal users already.
    But most settings are not suitable for service accounts because they execute without user interaction from many source IPs (Azure web app). So question is - is every task a service user can do also possible with an enterprise app?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.