Exploring Microsoft Entra ID – Discussing What is Application registration? What is Application and Service Principal object
Hi All,
Greetings for the day !
We started exploring Microsoft Entra, today we will move ahead
While exploring Microsoft Entra ID, in one of the previous article we discussed about getting list of all applications or exporting to CSV. Exploring Microsoft Entra – How to download all applications list from Microsoft Entra admin center – https://knowledge-junction.in/2024/03/13/microsoft-entra-download-apps-entra-admin-center/
But what exactly Application object is? What happens when we register an Application from Microsoft Entra ID admin center. In this article we will discuss these points.
If we navigate to Microsoft Entra ID admin center – https://entra.microsoft.com/. We have also detailed article how to navigate to Microsoft Entra ID admin center – Small Tips and Tricks – Microsoft Entra admin center – How to navigate – Microsoft Entra admin center – https://knowledge-junction.in/2022/12/19/small-tips-and-tricks-microsoft-entra-admin-center-how-to-navigate-microsoft-entra-admin-center/
As we navigate to Microsoft Entra admin center, in left pane we have “Applications” link under “Identity” section , if we expand it we have two options – “Enterprise applications” and “App registrations“
Application registration
- To delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant
- When we register application with Microsoft Entra ID, we’re creating an identity configuration for our application that allows it to integrate with Microsoft Entra ID
- We have detailed article for registering an app in Microsoft Entra admin center. Kindly please have a look. Microsoft Entra – registering new application and assigning permissions to access Microsoft Graph APIs – https://knowledge-junction.in/2024/01/18/microsoft-entra-registering-new-application-and-assigning-permissions-to-access-microsoft-graph-apis/
- When we successfully done with App Registration, we have global instance of Application object
- This App always lives within home tenant / directory – where it created even though it is for Multi-Tenant schenario
- As we are successfully done with App registration – we have an application object and a service principal objects are created in our home tenant
- As shown in above figure – we can use App Registration page from Microsoft Entra admin center to create/manage/register Apps – https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType~/null/sourceType/Microsoft_AAD_IAM
What is Application object
- An application object is used as a template or blueprint to create one or more service principal objects
- When we register an app, application object is created. There is one and only application object for my Microsoft Entra
- The application object describes three aspects of an application:
- How the service can issue tokens in order to access the application
- The resources that the application might need to access
- The actions that the application can take
What is Service Principal object
- Service Principal is an entity which is require to access the resources secured by Microsoft Entra
- Service Principal is application instance
- Service Principal derives certain properties of Application object and references the globally unique app object
- A Service Principal is created in every tenant where the application is used
- The service principal object defines
- what the app can actually do in the specific tenant
- who can access the app
- and what resources the app can access.
- The Service Principal defines the access policy and permissions for the user/application in the Microsoft Entra tenant
- This enables core features such as authentication of the user/application during sign-in, and authorization during resource access
- When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created
- When we register an application, a service principal is created automatically
- We can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph
- We can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service principals in a tenant – https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview
NOTE : If we register an app using Microsoft Graph APIs then we need to separately create the Service Principal object
REFERENCES
- Small Tips and Tricks – Microsoft Entra admin center – How to navigate – Microsoft Entra admin center – https://knowledge-junction.in/2022/12/19/small-tips-and-tricks-microsoft-entra-admin-center-how-to-navigate-microsoft-entra-admin-center/
- Microsoft Entra – registering new application and assigning permissions to access Microsoft Graph APIs – https://knowledge-junction.in/2024/01/18/microsoft-entra-registering-new-application-and-assigning-permissions-to-access-microsoft-graph-apis/
You must be logged in to post a comment.