Share via

How Azure Service Principal (SPN) defines who can access the application?

Chetan Krishna Sangoram 61 Reputation points
2022-03-04T17:07:43.843+00:00

While going thru reams of documentation on Service Principals including many question threads and also on stackoverflow, the literature claims that "Service principals define who can access the application, and what resources the application can access." for example this is from below Microsoft Learn

service-accounts-principal

While the later part of statement, "What resources application can access" is fairly clear and its the technical-user kind of use case of Service Principal, where and how the first part "Service principals define who can access the application" is implemented? Especially in Single tenant app registration.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,947 questions
0 comments
Accepted answer
  1. Shweta Mathur 28,201 Reputation points Microsoft Employee
    2022-03-08T18:43:17.817+00:00

    Hi @Chetan Krishna Sangoram

    Thanks for reaching out and apologies for delay in response.

    I understand you are trying to understand how service principal defines whom to authenticate to access the application.

    So when you are registering the application ,there is always service principal created in Enterprise application for the same application with different object id. As specified Service Principal can manage who can access that application in that tenant.

    You need to have Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal role to assign access to the application.

    In the Enterprise application, Service Principal can control who can access the application based on "Assignment required" box.
    If you have the "Assignment required" box checked within your Enterprise application, then users must be assigned to the application before being able to access it.
    If this option is set to no, then any users who navigate to the application URL directly will be granted access.

    181138-image1.png

    To restrict the access to particular users , Assignment required should be set to 'Yes" and select those users who can access the application.

    181078-image2.png

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------------

    Please remember to "Accept Answer" if answer helped you.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Everton Collins 0 Reputation points
    2023-09-27T16:28:38.4233333+00:00

    Thanks a useful answer.

    0 comments