Share via

Azure AD Application vs Service Principal Concept Distinction

Pier-Carl Venne 21 Reputation points
2022-12-18T18:05:38.667+00:00

I still have difficulty to grasp the dissimilarities between Managed Applications and their Service Principal.

From what I understand, App Registrations encapsulate the App ID, Credentials/Certificates, Scope, and that Service Principals encapsulate management of consent, scopes and other instances must be created when using the application in other tenants whilst they all point to the original App Registration and where it was created. I also understand that the Service Principal is another type of identity and it's this identity that the app uses to authenticate to Azure AD via OAuth2 and determine the app users authorizations and fetches info using OpenID.

Where I'm having difficulty putting together these concepts is when it's specified that the Service Principal is the "Local Representation of the app in the Local Directory". I understand this makes sense when the app is used in another tenant since another Service Principal is created in that other directory, but I don't understand where this makes sense when this is a single tenant app. Like, It's weird for me to say something like "it's the local representation of the application that is also local to the same directory"?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. TP 148.8K Reputation points Volunteer Moderator
    2022-12-18T20:04:29.073+00:00

    Hi,

    You can think of Application object as a globally unique template/blueprint/definition that represents an application whereas the Application service principal object is a concrete representation of the application for purposes of consent being given to it, permissions to access resources being granted to it, etc., in a specific tenant. It's a one-to-many relationship in that there is only 1 Application object (which exists in only one tenant), but there can be many Application service principals (one for each tenant).

    An application object could exist without any linked application service principals. It's really only when the application needs to be used (given consent, granted access, etc.) in a specific tenant that a corresponding application service principal instance needs to exist in that tenant.

    -TP

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,806 Reputation points
    2022-12-18T19:18:50.273+00:00

    Hello @Pier-Carl Venne

    Thank you for sharing this question on this community space.

    I would like to gather the following article as well as the URL for the same. So, I am pasting a small segment of it down below:

    271855-image.png

    https://www.techtarget.com/searchcloudcomputing/tip/Why-and-how-to-create-Azure-service-principals#:~:text=The%20key%20difference%20between%20Azure,a%20role%20to%20the%20identity.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Raymond Ha How Sung 25 Reputation points
    2023-09-12T08:18:09.13+00:00

    actually i am stil bit confuse about the difference; so if there is no multi-tenant then actually no key difference right?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.