Application and service principals

Marouf Ali 700 Reputation points
2025-01-02T08:47:13.3466667+00:00

Hello,

What are application and service principals in Microsoft Entra ID?

Are they always created upon registration of an app in Azure?

When we talk about application and service principal class objects - does it mean instances of application and service principal classes? How do they apply in Entra ID and Azure?

Best regards

Marouf

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Akpesiri Ogbebor 2,525 Reputation points
    2025-01-02T11:58:33.98+00:00

    Hello @Marouf Ali

    Thank you for sharing your issue on Microsoft Q&A.

    I understand you want clarification on application and service principles in Microsoft Entra ID.

    Application

    • Definition: An Application in Microsoft Entra ID is a global representation of an application. It acts as a blueprint or template for creating instances of the app in different directories.
    • Use Case: This is the "registration" of your app, where you define its identity (like the app's name, redirect URIs, permissions, etc.).
    • Key Components:
      • App ID: A unique identifier (GUID) for the application.
        • Metadata: Includes configuration, such as API permissions, application roles, and branding.

    Service Principal

    • Definition: A Service Principal is a concrete instance of the application in a tenant (directory). It represents the application when accessing resources in that specific tenant.
    • Use Case: When the application is used in a specific tenant, the service principal handles its permissions, roles, and policies.
    • Key Components:
      • Object ID: Unique identifier specific to the tenant.
      • App ID: Links the service principal to its application definition. Application
        • Definition: An Application in Microsoft Entra ID is a global representation of an application. It acts as a blueprint or template for creating instances of the app in different directories.
        • Use Case: This is the "registration" of your app, where you define its identity (like the app's name, redirect URIs, permissions, etc.).
        • Key Components:
          • App ID: A unique identifier (GUID) for the application.
          • Metadata: Includes configuration, such as API permissions, application roles, and branding.
        Service Principal
        • Definition: A Service Principal is a concrete instance of the application in a tenant (directory). It represents the application when accessing resources in that specific tenant.
        • Use Case: When the application is used in a specific tenant, the service principal handles its permissions, roles, and policies.
        • Key Components:
          • Object ID: Unique identifier specific to the tenant.
          • App ID: Links the service principal to its application definition.

    Are They Always Created Upon Registration?

    1. Application Creation: When you register an app in Microsoft Entra ID, an Application object is created.
    2. Service Principal Creation:
      • By default, a Service Principal object is also created in the same tenant as the application.
      • If the app needs to operate in another tenant (e.g., for multi-tenant apps), a service principal will need to be created in that tenant (automatically or manually when the app is consented to or used).

    Application and Service Principal Class Objects

    • When we talk about application and service principal as class objects, we are referring to instances of these classes in the Microsoft Entra ID object model.
    • How They Apply in Entra ID and Azure:
      • Application: This is a shared model, used to define the identity and behavior of the app across all tenants.
      • Service Principal: This is a local instance in a specific tenant, representing the app in that directory and defining its permissions, access policies, and roles for resources.

    Practical Insights

    • Application vs. Service Principal: Think of the application as the "what" (definition) and the service principal as the "who" (instance in a tenant).
    • Usage in Azure:
      • When deploying or accessing resources in Azure, the service principal acts as the app's identity in a tenant.
      • Applications with multi-tenant behavior will create service principals in other tenants when users or admins from those tenants interact with the app.

    Let me know if you'd like more clarification!

    Siri

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.