Hi @NC0202 ,
Apologies for the delayed reply!
Q1 : Does the service here mean Azure Active Directory (Azure AD) since it's in charge of toke issuing ?
Yes, the service here is Azure AD issuing tokens to your application.
Q2 : According to above ref article, I know there are 3 types of service principal - application, managed identity and legacy
So the service principal here mean application type, right ?
Yes, it is the application type. The related link on that page shows how to sign in using the application ID. https://learn.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-6.5.0
Q3: The mapping of service principals and where I can find them on Azure
Left side is my understanding, and the mapping seems like these.
Not sure correct or not.
I wouldn't exactly map it like that since there are some differences in how these things are organized. A system-assigned managed identity is enabled as part of a resource and tied to the lifecycle of that resource (such as a VM or app service). User-assigned managed identities are created as stand-alone Azure resources. You would enable managed identities and then deploy your app to an Azure service. The managed identity enablement itself is done from the app service and you would normally configure this under the App Service > Settings > Identity, but you can also find the managed identity for your web app or slot app under Enterprise Applications > User Settings. An application can have both system-assigned and user-assigned identities at the same time and it is enabled on the App Service, not through on the enterprise application or app registration.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal
Q4: I know Enterprise Application is where I can check service principals, but not sure why some principals in my company seems weird.
sample 1 : I can find it as Enterprise Applications, but not in App Registration
An App Registration can reside in any directory, but an Enterprise application (Service Principal) must be present in the same directory for every tenant where the application is running. This is probably why you are able to see the enterprise application but not the app registration in that tenant.
Let me know if this helps at all or if more clarity is needed. I wrote a blog post about some of the differences between these terms, but your question got me thinking a lot about some of the strange nuances of the terminology and makes me think I need to update this. https://marileeturscak.com/posts/app-registrations-enterprise-applications-service-principals/