Menu
According to this documentation: Application and Service principal are clearly two different things. Application is the global identity and Service principal is per Tenant/AAD
But This Documentation and This Stack Overflow Question suggest they are the same.
To make it more confusing, When I used the Graph API (from the first reference) and queried by my application name:
https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'
I see a object Id, an Application ID (which I thought were the same), but no service principal ID in the Json
What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID) ? Thanks.
744
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
Client ID (Equals to Application ID) You can find the applications registered in your Azure subscription by Azure AD => Enterprise applications => Application Name. You can log in the Azure with ClientId and ClientSecret and use it to manage user rights, or send emails etc.
Short answer: Application and Service principal are definitely two different things (related in 1:many fashion but definitely different objects).
Working with Azure AD Graph API
Finding Application. As you already mentioned in question.
https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'
Finding Service Principal
https://graph.windows.net/<tenantName>/servicePrincipals?api-version=1.6&$filter=displayName eq '<Apllication Name>'
Small things to notice in json:
objectId and objectType will be different for the application object and service principal object that you get back from above mentioned queries. appId and displayName are same since they are related to the same logical application.Your question about - What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID)
Firstly, the link in your question Application and service principal objects in Azure Active Directory, is a great resource to understand concepts. I won't do a better job than that documentation to explain concepts, so do read through it more than once if needed. I will try to highlight some information to answer your specific queries though.
You can think of the application object that you retrieved from Azure AD Graph API above (or see in the App registrations section of Azure Portal > Azure Active Directory) as the single and main definition of the software application that you are developing and registering with Azure AD for identity purposes. NOTE: In case of multi-tenant applications you will find this application object only in the "home" tenant, where application was registered with Azure AD.
Service Principal (what you see under Enterprise applications section of Azure Portal > Azure Active Directory) on the other hand is something that will get created in every Azure AD tenant that wants to use this application. For the "home" tenant Service principal is created at the time of app registration, for all other tenants service principal is created at the time of consent.
So there will always be only 1 application object to represent application. There will be at least 1 service principal created at time of app registration. Although, as you start using a multi-tenant application from multiple tenants, 1 service principal will get created for every new Azure AD tenant where user gives consent for application. Hence the relation between application and service principal object becomes 1:many
appId will be same for single application object that represents this application as well as it will be same for all service principals created for this application.objectId will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD. It's a property that you will find with all Azure AD objects, like even a user, group or anything else with Azure AD.clientId will be same as appId. It will be relevant in context such as acquiring a token using one of the OAuth flows that Azure AD supports (say while writing code using ADAL libraries or using REST API to hit Azure AD token end points). It is not a direct property you will find with that exact name for an application or service principal object.On a side note, the other two links that confused you are more of How to articles trying to get the job done rather than deeply explaining the concepts you're looking for. I don't think any documentation will explicitly say that application and service principal are same thing (since they are technically not). Although I can understand how it can get confusing sometimes, when application and service principal are used interchangeably when loosely referring to application in context of authentication related tasks.
Here is another SO post on similar topic with a good answer from Jean-Marc Prieur. It may not answer all your specific queries but certainly hits the concepts.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
