Application and service principals

Question

Application and service principals

Marouf Ali 700

Hello,

What are application and service principals in Microsoft Entra ID?

Are they always created upon registration of an app in Azure?

When we talk about application and service principal class objects - does it mean instances of application and service principal classes? How do they apply in Entra ID and Azure?

Best regards

Marouf

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-02T11:57:09.9666667+00:00

Hi @Marouf Ali
Thank you for posting your query on Microsoft Q&A.

We have many applications in Microsoft Entra ID, and once you complete the app registration, a globally unique instance of the app is created (the application object) with a unique Object ID. Additionally, a service principal is created, which has another unique Object ID.

A service principal is a concrete instance derived from the application object and inherits certain properties from it. A service principal is created in each tenant where the application is used, referencing the globally unique application object. The service principal object defines what the app can do in a specific tenant, who can access the app, and what resources the app can access.

When you register an application, both an application object and a service principal object are automatically created in your home tenant.

In this context, when we refer to "application" and "service principal" as class objects, we mean that these are instances of those classes. The application object is like a class definition, and the service principals are instances of this class, each with specific configurations for their respective tenants.

Could you clarify what you mean by Entra ID and Azure in this scenario? Essentially, Microsoft Entra ID is a cloud-based identity and access management solution within Azure, while Azure itself is a platform that allows you to create, manage, and deploy Azure resources and services. If this understanding is incorrect, could you please explain the relationship between Entra ID and Azure in your scenario?

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Accepted answer

0 additional answers

Your answer

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-01-02T11:57:09.9666667+00:00

Hi @Marouf Ali
Thank you for posting your query on Microsoft Q&A.

We have many applications in Microsoft Entra ID, and once you complete the app registration, a globally unique instance of the app is created (the application object) with a unique Object ID. Additionally, a service principal is created, which has another unique Object ID.

A service principal is a concrete instance derived from the application object and inherits certain properties from it. A service principal is created in each tenant where the application is used, referencing the globally unique application object. The service principal object defines what the app can do in a specific tenant, who can access the app, and what resources the app can access.

When you register an application, both an application object and a service principal object are automatically created in your home tenant.

In this context, when we refer to "application" and "service principal" as class objects, we mean that these are instances of those classes. The application object is like a class definition, and the service principals are instances of this class, each with specific configurations for their respective tenants.

Could you clarify what you mean by Entra ID and Azure in this scenario? Essentially, Microsoft Entra ID is a cloud-based identity and access management solution within Azure, while Azure itself is a platform that allows you to create, manage, and deploy Azure resources and services. If this understanding is incorrect, could you please explain the relationship between Entra ID and Azure in your scenario?

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.

Answer 1

Hello @Marouf Ali

Thank you for sharing your issue on Microsoft Q&A.

I understand you want clarification on application and service principles in Microsoft Entra ID.

Application

Definition: An Application in Microsoft Entra ID is a global representation of an application. It acts as a blueprint or template for creating instances of the app in different directories.
Use Case: This is the "registration" of your app, where you define its identity (like the app's name, redirect URIs, permissions, etc.).
Key Components:
- App ID: A unique identifier (GUID) for the application.
  - Metadata: Includes configuration, such as API permissions, application roles, and branding.

Service Principal

Definition: A Service Principal is a concrete instance of the application in a tenant (directory). It represents the application when accessing resources in that specific tenant.
Use Case: When the application is used in a specific tenant, the service principal handles its permissions, roles, and policies.
Key Components:
- Object ID: Unique identifier specific to the tenant.
- App ID: Links the service principal to its application definition. Application
  - Definition: An Application in Microsoft Entra ID is a global representation of an application. It acts as a blueprint or template for creating instances of the app in different directories.
  - Use Case: This is the "registration" of your app, where you define its identity (like the app's name, redirect URIs, permissions, etc.).
  - Key Components:
    - App ID: A unique identifier (GUID) for the application.
    - Metadata: Includes configuration, such as API permissions, application roles, and branding.
  Service Principal
  - Definition: A Service Principal is a concrete instance of the application in a tenant (directory). It represents the application when accessing resources in that specific tenant.
  - Use Case: When the application is used in a specific tenant, the service principal handles its permissions, roles, and policies.
  - Key Components:
    - Object ID: Unique identifier specific to the tenant.
    - App ID: Links the service principal to its application definition.

Are They Always Created Upon Registration?

Application Creation: When you register an app in Microsoft Entra ID, an Application object is created.
Service Principal Creation:
- By default, a Service Principal object is also created in the same tenant as the application.
- If the app needs to operate in another tenant (e.g., for multi-tenant apps), a service principal will need to be created in that tenant (automatically or manually when the app is consented to or used).

Application and Service Principal Class Objects

When we talk about application and service principal as class objects, we are referring to instances of these classes in the Microsoft Entra ID object model.
How They Apply in Entra ID and Azure:
- Application: This is a shared model, used to define the identity and behavior of the app across all tenants.
- Service Principal: This is a local instance in a specific tenant, representing the app in that directory and defining its permissions, access policies, and roles for resources.

Practical Insights

Application vs. Service Principal: Think of the application as the "what" (definition) and the service principal as the "who" (instance in a tenant).
Usage in Azure:
- When deploying or accessing resources in Azure, the service principal acts as the app's identity in a tenant.
- Applications with multi-tenant behavior will create service principals in other tenants when users or admins from those tenants interact with the app.

Let me know if you'd like more clarification!

Siri

Share via

Application and service principals

0 additional answers

Your answer