Azure AD SPN and UPN?

Question

I want to understand the difference between the SPN & UPN in Azure AD Context. My understanding is there are three way to establish identity in Azure AD

1. Users Key in their username and Password to establish Identity
2. An application using ClientId and Secret Key to establish Identity
3. An application using ClientId and Certificate to establish Identity

Is User/Password is called UPN & rest two are called SPN? Also is there any other way to establish identity?

Answer 1

In Azure AD, UPN is the User Principal Name. It is always in the format which looks like an email address. Essentially it has three parts. User account name, the separator (i.e. @ symbol) and UPN suffix or domain name. Its primary purpose is to use during the authentication and represents user identity.

SPN is the Service Principal Name. The service principal object defines the policy and permissions for an application, providing the basis for a security principal to represent the application when accessing resources at run-time. App identity (service principal) is preferable to running the app under your own credentials (user identity) because:

1. You can assign permissions to the app identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the app needs to do.

2. You do not have to change the app's credentials if your responsibilities change.

3. You can use a certificate to automate authentication when executing an unattended script.

You could create service principal with password or certificate as you shown. Please click here for more about application and service principal objects in Azure Active Directory, and click here for how to use portal to create an Azure Active Directory application and service principal that can access resources. You could choose other ways (e.g. PowerShell/CLI) on the left navigation panel.