Menu
Three topics in Azure AD I'm constantly confused on:
What is the difference?
I can easily go into "App Registrations" and register an "app" while that "app" doesn't even need to exist. All it requires is a URL which can also be totally random. This app registration then becomes a service principal which you can use to connect to Azure to from PowerShell for instance? Why? I don't understand this.
Please advise, and as you can probably tell, I'm new to Azure :)
346
Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.
An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a single tenant or directory. It functions as the identity of the application instance. Service principals define who can access the application, and what resources the application can access.
A key concept here is that a Service Principal will be created in your AAD whenever you create an App Registration or register an existing Application object (say from the marketplace or another tenant). Creating an App Registration is going to essentially define the application itself.
When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD. I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)
By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal. To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.
Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.
BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
