1

From the page about Azure CLI Sign-in:

Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information

It seems that a service principal is kind of a service account, a sort of identity which isn't tied to any specific person.

On the other hand, from here it seems that a service principal is an instantiation of the Application object in the domain of App registrations. This has something to do with registering an application so it can be authorized using OAuth 2.0 etc. etc.

So I can't understand the relation between these two concepts. Can someone help?

YoavKlein
  • 2,005
  • 9
  • 38

1 Answers1

2

Service principal is sort of a service account. It is the thing that permissions are assigned to. For example, if you consent to an application reading your user profile on your behalf, that adds an OAuth 2 permission grant to the service principal. Application permissions add an app role assignment to the service principal when granted.

When you make an app registration, a service principal is also created in that same Azure AD tenant. Even though you add required permissions and consent to them through the app registration forms, the permissions are actually assigned to the service principal. The app registration is only really a template.

Where this gets interesting is if you have a multi-tenant app (other Azure AD tenants' users can use your app). In this case a service principal representing your app is also created in other Azure AD tenants when a user consents to the permissions your app requires. Essentially you get an automatically generated service account in each tenant using your app. This allows admins to decide which permissions to grant your app, which users can access the app etc.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • so basically I can think of a service principal as a regular user, which I can assign permissions to. For example, when defining a "Service connection" of type "Azure Resource Manager" in Azure DevOps, I can authenticate using a service principal. So is a service principal just like a user for the manner of sake? – YoavKlein Nov 15 '22 at 13:28
  • Well, sort of. They are also completely separated from users. Like the way you authenticate a user vs authenticate a service principal is completely different. Which I think is a good thing. – juunas Nov 15 '22 at 13:31
  • From what I understood - as you said - the service account is basically the representation of the application registration in my Azure AD tenant. In terms of OAuth 2.0, this is the _Authorization Server_. The authorization server in OAuth 2 is not a _user_ as far as I understand. That's why I'm having a hard time understanding how these things relate to each other... – YoavKlein Nov 15 '22 at 13:33
  • Authorization Server is not an application. Applications are registered in the Authorization Server. The Azure AD tenant is the Authorization Server. – juunas Nov 15 '22 at 14:05
  • Correct - so a service principal is a representation of an application in the Authorization Server. Do you agree that this is a different thing than a user-like entity? – YoavKlein Nov 15 '22 at 14:08
  • Yes. It is not a user. – juunas Nov 15 '22 at 21:28
  • can you please refer to this question: https://stackoverflow.com/questions/74516087/adding-permissions-to-an-application-in-azure-app-registration – YoavKlein Nov 21 '22 at 18:42