2

i already know the difference between App Registration and Service Principal in Azure.There is also a good explanation in this post Difference between "enterprise application" and "app registration" in Azure.

However when an app registration is created,an application ID and a secret or certificate is created.In same time within a tenant is created also the service principal which refers to app registration.

So my question would be,do app registration and service principal have the same secret?If the secret for app registration expires and i update it,what happens with the secret of service principal,is it also updated? And vice versa, the secret for service principal expires and i update it, what happens with the secret of app registration,is it also updated?I guess no because the service principal inherits the setting from app registration.

Any explanation about the relationship between app registration's secret and service principal'secret would be helpful.

Update 31.01.2020 i have an app registration called sp-acr-mit-pull and also a corresponding service principal which refers to this app reg. and of course both have same app id and different objectid enter image description here

Now if check the endDate of app registration,it is empty enter image description here

If if check the endDate of SP,it shows me the expiry date enter image description here

If i perform an update of service principal via command

az ad sp credential reset --name sp-acr-mit-pull --years 2

the opposite happen,i can see the new expiry date for the app registration and the old one for the serviceprincipal.

enter image description here

olti
  • 91
  • 1
  • 10

1 Answers1

1

However when an app registration is created,an application ID and a secret or certificate is created.In same time within a tenant is created also the service principal which refers to app registration.

This is only when you create App Registration from Portal. In portal both are created simultaneously when an app is registered in Azure AD. But in CLI, PowerShell or any other programming way it is done manually by creating a app registration first and then associating it with the service Principal.

So my question would be,do app registration and service principal have the same secret?If the secret for app registration expires and i update it,what happens with the secret of service principal,is it also updated? And vice versa, the secret for service principal expires and i update it, what happens with the secret of app registration,is it also updated?I guess no because the service principal inherits the setting from app registration.

Both App registration and Service Principal Secret are used by one Azure AD client , So creating either depends on your requirement .

The secret of the App registration can be seen from Portal whereas its not the same for the secret of Service Principal. So , the App registration and Service Principal have the same secret but are independent of each other.

So , For example , if you create a secret for service principal from cli/any command (which is the only way to create secret for service principal as of now) , then you will have to auto rotate it as well because the service principal secret will not be visible from portal . But at the same time if you create a secret for app registration then even if you forget to rotate it , it will be visible from portal as expired and you can rotate it then .

For More details on the difference and relationship between App registration and Service Principal , you can refer this Microsoft Documentation.

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • With this statement "The secret of the App registration can be seen from Portal whereas its not the same for the secret of Service Principal....." do you mean i can see the secret of the App registration in portal but i can see the secret for Service Principal and they both have same secret. What about [modifying and deleting applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#consequences-of-modifying-and-deleting-applications) In case i modify the secret for app registration ,what happen with service-principal?And vice versa? – olti Jan 27 '22 at 10:17
  • @olti, both have different values .. meaning service principal secret and ad application secret have different values if you create them . AD application secret can be seen on the portal but the value is provided with hint only and you can't retrieve those value afterwards as well like a one time feature to note down the secret value for the future uses. – Ansuman Bal Jan 27 '22 at 10:23
  • whereas the service principal secret can't be seen from portal . here also same thing the value of the secret can;t be retrieved afterwards only at the time of creation, you can note the value for future use . – Ansuman Bal Jan 27 '22 at 10:24
  • but whatever you use i.e. ad app secret or the service principal secret will be used against the same application .. i.e the ad app and service principal (enterprise application) will correlate with the same client id – Ansuman Bal Jan 27 '22 at 10:26
  • ` What about modifying and deleting applications In case i modify the secret for app registration ,what happen with service-principal?And vice versa?`.. the changes on configuration etc get synced if done from any end .. but thats not the same in secret value . but as a single secret in azure ad is utilized by both referring the client id of the app (may it be app reg object / service principal object). – Ansuman Bal Jan 27 '22 at 10:36
  • ,How do you explain this behavior?After an app registration i created i can get the enddate with get-azadappcredential -objectid ( objectid of app reg). In case i run this command get-azadspcredential -objectid ( objectid of service principal) it shows nothing.Both have the same applicationid,which means they are related. – olti Jan 28 '22 at 07:59
  • In case i update the secret with ´az ad sp credential reset --name` then: – olti Jan 28 '22 at 08:01
  • @olti, as i have mentioned earlier as well .. they both are different . if you create for app reg then you will get it using `azadappcredential -objectid` and if created for sp then using ` get-azadspcredential -objectid` .. what i meant by related is that when you are using client id and client secret for some methods, you can use client id of app registration which will be the same for the service principal as well and in client secret you can use `either sp secret or app reg secret` . – Ansuman Bal Jan 28 '22 at 08:06
  • if you use `az ad sp credential reset --name` this then it will only reset the value of sp secret. so you can use the new secret generated for the sp or if you have existing secret for app reg then you can also use that for the client id – Ansuman Bal Jan 28 '22 at 08:11
  • In case i update the secret with ´az ad sp credential reset --name` then the opposite happen: get-azadappcredential -objectid ( objectid of app reg) shows nothing get-azadspcredential -objectid ( objectid of service principal) gives the enddate – olti Jan 28 '22 at 08:14
  • @olti, correct, as you reset the sp credentials and not the app reg credentials. do you have a secret for app reg as well.. – Ansuman Bal Jan 28 '22 at 08:15
  • it will be better if you post a new question on the same with required screenshot so that i can have a look there – Ansuman Bal Jan 28 '22 at 08:18
  • I updated my initial question with some screenshots. – olti Jan 31 '22 at 12:38