When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. Managed identities eliminate the need for developers to manage credentials. Managed identity - This type of service principal is used to represent a managed identity. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools. When you register an application using the Azure portal, a service principal is created automatically.
Principle app handle registration#
When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. A service principal is created in each tenant where the application is used and references the globally unique app object. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. There are three types of service principal:Īpplication - The type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This requirement is true for both users (user principal) and applications (service principal). To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. The Microsoft Graph Application entity defines the schema for an application object's properties. You can use the App registrations blade in the Azure portal to list and manage the application objects in your home tenant. The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances). A service principal is created in every tenant where the application is used. An application object is used as a template or blueprint to create one or more service principal objects. Application objectĪn Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application's "home" tenant). If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step. If you register an application in the portal, an application object as well as a service principal object are automatically created in your home tenant. In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more. You also have a globally unique ID for your app (the app or client ID).
When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. For step-by-step instructions on registering an app, see the app registration quickstart. When you register an app in the Azure portal, you choose whether it's a single tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants) and can optionally set a redirect URI (where the access token is sent to). When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. To delegate Identity and Access Management functions to Azure AD, an application must be registered with an Azure AD tenant. A multi-tenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects. This article describes application registration, application objects, and service principals in Azure Active Directory (Azure AD): what they are, how they're used, and how they are related to each other.
0 kommentar(er)
