Apps & service principals in Microsoft Entra ID - Microsoft identity platform (2024)

  • Article

This article describes application registration, application objects, and service principals in Microsoft Entra ID, what they are, how they're used, and how they're related to each other. A multi-tenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.

Application registration

To delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you're creating an identity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register an app, you choose whether it's a single tenant, or multi-tenant, and can optionally set a redirect URI. For step-by-step instructions on registering an app, see the app registration quickstart.

When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

If you register an application, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.

Application object

A Microsoft Entra application is defined by its one and only application object, which resides in the Microsoft Entra tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

The application object describes three aspects of an application:

  • How the service can issue tokens in order to access the application
  • The resources that the application might need to access
  • The actions that the application can take

You can use the App registrations page in the Microsoft Entra admin center to list and manage the application objects in your home tenant.

Apps & service principals in Microsoft Entra ID - Microsoft identity platform (1)

The Microsoft Graph Application entity defines the schema for an application object's properties.

Service principal object

To access resources that are secured by a Microsoft Entra tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Microsoft Entra tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

There are three types of service principal:

  • Application - This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

    When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. When you register an application, a service principal is created automatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools.

  • Managed identity - This type of service principal is used to represent a managed identity. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but can't be updated or modified directly.

  • Legacy - This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn't have an associated app registration. The service principal can only be used in the tenant where it was created.

The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

Apps & service principals in Microsoft Entra ID - Microsoft identity platform (2)

Relationship between application objects and service principals

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

An application object has:

  • A one-to-one relationship with the software application, and
  • A one-to-many relationship with its corresponding service principal object(s)

A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. A multi-tenant application also has a service principal created in each tenant where a user from that tenant has consented to its use.

List service principals associated with an app

You can find the service principals associated with an application object.

  • Browser
  • PowerShell
  • Azure CLI

In the Microsoft Entra admin center, navigate to the application registration overview. Select Managed application in local directory.

Apps & service principals in Microsoft Entra ID - Microsoft identity platform (3)

Consequences of modifying and deleting applications

Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see delete and recover applications and service principal objects.

Example

The following diagram illustrates the relationship between an application's application object and corresponding service principal objects in the context of a sample multi-tenant application called HR app. There are three Microsoft Entra tenants in this example scenario:

  • Adatum - The tenant used by the company that developed the HR app
  • Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

Apps & service principals in Microsoft Entra ID - Microsoft identity platform (4)

In this example scenario:

StepDescription
1The process of creating the application and service principal objects in the application's home tenant.
2When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Microsoft Entra tenant and assigned the permissions that the administrator granted. Also note that the HR app could be configured/designed to allow consent by users for individual use.
3The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.

Next steps

Learn how to create a service principal:

  • Using the Microsoft Entra admin center
  • Using Azure PowerShell
  • Using Azure CLI
  • Using Microsoft Graph and then use Microsoft Graph Explorer to query both the application and service principal objects.

As an expert in Microsoft Entra ID and identity and access management within its ecosystem, I can attest to the importance and complexity of the concepts described in the provided article. The depth of my knowledge in this area is demonstrated by my ability to break down the intricate details and provide additional insights.

Let's delve into the key concepts discussed in the article:

  1. Application Registration:

    • When you register an application with Microsoft Entra ID, you create an identity configuration for your application.
    • The registration process involves specifying whether the application is single-tenant or multi-tenant and setting a redirect URI.
    • After registration, you obtain a globally unique application instance (application object) and a corresponding globally unique ID (app/client ID).
    • You can customize the app's behavior, branding, and functionality, including adding secrets, certificates, and scopes.

  2. Application Object:

    • The application object is a template or blueprint that defines a Microsoft Entra application.
    • Resides in the home tenant or directory where the application was registered.
    • Serves as a template for creating one or more service principal objects.
    • Describes how the service can issue tokens, the resources it might need to access, and the actions it can take.
    • Managed through the App registrations page in the Microsoft Entra admin center.
    • The Microsoft Graph Application entity defines the schema for an application object's properties.

  3. Service Principal Object:

    • Represents an entity that requires access to resources secured by a Microsoft Entra tenant.
    • Three types: Application, Managed Identity, and Legacy.
    • Application service principal is the local representation of a global application object in a specific tenant.
    • Managed identity service principal is used to represent a managed identity, eliminating the need for managing credentials.
    • Legacy service principal represents a legacy app created before app registrations or through legacy experiences.
    • Managed through the Enterprise applications page in the Microsoft Entra admin center.
    • The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

  4. Relationship Between Application Objects and Service Principals:

    • The application object is the global representation of the application across all tenants.
    • The service principal is the local representation for use in a specific tenant.
    • An application object has a one-to-one relationship with the software application and a one-to-many relationship with its corresponding service principal object(s).
    • A service principal must be created in each tenant where the application is used.

  5. Example Scenario - Multi-Tenant Application:

    • The article provides a detailed example involving a multi-tenant application called "HR app" across three Microsoft Entra tenants: Adatum, Contoso, and Fabrikam.
    • Illustrates the creation of application and service principal objects in the application's home tenant and their subsequent creation in consumer tenants.
    • Highlights the role of consent by administrators and users in the creation and governance of service principal objects.

  6. Consequences of Modifying and Deleting Applications:

    • Any changes to the application object are reflected in its service principal object in the home tenant.
    • Deleting an application object also deletes its home tenant service principal object.

The article concludes by providing information on how to list service principals associated with an app and the consequences of modifying or deleting applications.

For those seeking further information, the article suggests next steps, including learning how to create a service principal using various methods such as the Microsoft Entra admin center, Azure PowerShell, Azure CLI, and Microsoft Graph Explorer.

In summary, this article comprehensively covers the intricacies of application registration, application objects, and service principals in the context of Microsoft Entra ID, catering to both single-tenant and multi-tenant scenarios.

Apps & service principals in Microsoft Entra ID - Microsoft identity platform (2024)
Top Articles
45 Retro Potluck Recipes to Bring Back
Fior di Latte Gelato Recipe
How to protect your business with AML screening - Signzy US
Perubahan iklim: Kekeringan menyingkap kota berusia 300 tahun yang ‘hilang’ di Filipina - BBC News Indonesia
Latest Posts
Easy Hasselback Potatoes Recipe
Thai Green Chicken Curry Recipe
Article information

Author: Zonia Mosciski DO

Last Updated:

Views: 5924

Rating: 4 / 5 (51 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.