question

NC0202-5867 avatar image
0 Votes"
NC0202-5867 asked MarileeTurscak-MSFT answered

Concepts of Service Principals

Hi, I'm studying concepts of service principal and have something confused in mind.
Could you help to clarify ?

Q1 : Does the service here mean Azure Active Directory (Azure AD) since it's in charge of toke issuing ?

144527-image.png
Ref : https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals





Q2 : According to above ref article, I know there are 3 types of service principal - application, managed identity and legacy
So the service principal here mean application type, right ?
144542-image.png
Ref : https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell





Q3 : The mapping of service principals and where I can find them on Azure
Left side is my understanding, and the mapping seems like these.
Not sure correct or not.

144500-image.png





Q4 : I know Enterprise Application is where I can check service principals, but not sure why some principals in my company seems weird.
sample 1 : I can find it as Enterprise Applications, but not in App Registraion
144459-image.png





sample 2 : This one is created via cli on Oct 15, the command is az ad sp create-for-rbac --name ServicePrincipalName
I could only find it without filter which makes me wonder what its type is.

144563-image.png






azure-active-directory
image.png (34.3 KiB)
image.png (47.3 KiB)
image.png (65.1 KiB)
image.png (48.8 KiB)
image.png (50.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @NC0202-5867,

Apologies for the delayed reply!

Q1 : Does the service here mean Azure Active Directory (Azure AD) since it's in charge of toke issuing ?

Yes, the service here is Azure AD issuing tokens to your application.


Q2 : According to above ref article, I know there are 3 types of service principal - application, managed identity and legacy
So the service principal here mean application type, right ?

Yes, it is the application type. The related link on that page shows how to sign in using the application ID. https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-6.5.0

Q3: The mapping of service principals and where I can find them on Azure
Left side is my understanding, and the mapping seems like these.
Not sure correct or not.

I wouldn't exactly map it like that since there are some differences in how these things are organized. A system-assigned managed identity is enabled as part of a resource and tied to the lifecycle of that resource (such as a VM or app service). User-assigned managed identities are created as stand-alone Azure resources. You would enable managed identities and then deploy your app to an Azure service. The managed identity enablement itself is done from the app service and you would normally configure this under the App Service > Settings > Identity, but you can also find the managed identity for your web app or slot app under Enterprise Applications > User Settings. An application can have both system-assigned and user-assigned identities at the same time and it is enabled on the App Service, not through on the enterprise application or app registration.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal

Q4: I know Enterprise Application is where I can check service principals, but not sure why some principals in my company seems weird.
sample 1 : I can find it as Enterprise Applications, but not in App Registration

An App Registration can reside in any directory, but an Enterprise application (Service Principal) must be present in the same directory for every tenant where the application is running. This is probably why you are able to see the enterprise application but not the app registration in that tenant.

Let me know if this helps at all or if more clarity is needed. I wrote a blog post about some of the differences between these terms, but your question got me thinking a lot about some of the strange nuances of the terminology and makes me think I need to update this. https://marileeturscak.com/posts/app-registrations-enterprise-applications-service-principals/

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.