Duda sobre diferencia entre "applicationCredentialExpiry" y "servicePrincipalKeyExpiry" Azure AD Apps

R. Alejandro Taborda Chinea 21 Reputation points
2024-03-27T18:24:11.7+00:00

Hola buenas,

Estoy actualmente revisando unas alertas de aproximación de caducidad de credenciales en el portal de Entra ID y veo un par que dicen:

  • Renovar las credenciales de aplicación que van a expirar (applicationCredentialExpiry según he leído)

Esta indica que se actualiza en el apartado de Aplicaciones registradas en "Certificates and Secrets", tengo entendido que estas credenciales sirven para que una aplicación que hayamos desarrollado por ejemplo, puedan autenticarse en Azure AD correctamente y así poder acceder a recursos mediante API por ejemplo, es así?

  • Renovar las credenciales de entidad de servicio que van a expirar (servicePrincipalKeyExpiry según he leído)

Esta medida indica que debe mirarse en la parte de Aplicaciones empresariales en el apartado de "Inicio de sesión único" en "Certificado de firma SAML".

Pero aqui me pierdo un poco, porque hay aplicaciones en esta medida que al dar click me lleva también a "Certificate and secrets" de aplicaciones registradas, y otras si que me lleva a la parte de SAML.

Cual es la diferencia entre estos dos valores o credenciales? que función cumple cada una? gracias!

Un saludo

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,477 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 3,915 Reputation points Microsoft Vendor
    2024-03-28T09:00:13.9566667+00:00

    Hi @R. Alejandro Taborda Chinea

    Thank you for posting this in Microsoft Q&A.

    I understand your ask about the difference between "applicationCredentialExpiry" and "servicePrincipalKeyExpiry" in Azure AD Apps.

    An App Registration is a way of registering your application with Azure AD and enabling Azure AD services on it. It allows you to configure your application's settings and capabilities and assign a unique Application ID to it.

    Renew expiring application credentials (applicationCredentialExpiry as I've read)

    Yes, you are correct ApplicationCredentialExpiry comes under App Registration. These credentials are used to prove the identity of the application. When an application needs to access resources in Azure, it needs to authenticate itself with Azure AD to obtain an access token. This access token is then used to access the resources. However, Azure AD needs to verify that the application is who it claims to be before issuing an access token.

    The Enterprise Applications blade in Azure AD contains the list of your service principals, which represent your applications in the tenant. The term "Enterprise App" generally refers to applications published by other companies in the Azure AD gallery that can be used within your organization. When you register your own application in App Registrations, it will be represented as a Service Principal in the Enterprise Applications blade.

    Renew expiring service principal credentials (servicePrincipalKeyExpiry as I read)

    A Microsoft Entra service principal represents an application object within a specific tenant or directory. It determines access to the application and its resources. For example, you can create a service principal for the web application and assign it specific permissions to access the database and storage account. You can also define which users or groups are allowed to access the web application by granting them access to the service principal.

    If you attempt to upload or update service principal credentials, it may not be reflected in the registered applications as shown in the image.
    User's image

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.