Why do some Microsoft Applications have a Service Principal and others do not?

Question

When looking at the list of commonly used Microsoft Applications (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) I noticed that some of these show up in my Enterprise Applications list in Azure AD (list of Service Principals) while others do not. For example, I cannot find the Service Principal for the Microsoft Azure CLI application, while I have logged in using Azure CLI.

When I logged in (using the az login command without specifying my credentials) it opened a browser (following the OAuth 2 authorization code flow) which allowed me to authenticate and authorize Azure CLI to access the Azure REST API.

I would expect that a Service Principal would then be created in the Enterprise Applications list with the Azure CLI application ID (04b07795-8ddb-461a-bbee-02f9e1bf7b46).

Answer 1

Some (many in fact) of the first-party (i.e. Microsoft-owned) apps do not show up in the UI and/or PowerShell/CLI. You should however still see the corresponding login events, with the relevant SP GUID shown. The article you quoted above was created to address complaints from customers that we have no visibility on said SP objects - at least now you can compare them against this (albeit incomplete) list.