Understand the difference: App Registrations and Service Principle
I have been working with Azure for last few years but always found difficult to understand differences between App registrations and Service principle . This article is an attempt for understanding the difference between the two.
Application Registration:
Lets say you are hosting an application and you want to delegate access and management functions to Azure AD. So first of all you will register application with an Azure AD Tenant.
- When you register your application with Azure AD, you’re creating an identity configuration for your application that allows it to integrate with Azure AD.
- When you register an app in the Azure portal, you choose whether it’s a single tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants).
- When you’ve completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID).
- Apart from Application Object , a service principle will also get created in your home tenant. You can think of another object called Service principle is created with Application Object.
Then where service principle comes in picture:
As mentioned earlier when you register your App it also creates a service Principle object and this service principle object is responsible for the management . So Service principle enables your application to establish an identity for sign-in or access to resources being secured by the tenant.
Service principal is the local representation(or application instance), of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object.
What if your App is Multi tenant
In this case , you register you app in one tenant which will be called home tenant for your app and you will get globally unique Client id. So you will have only one globally unique(across all tenants) App object .
But a service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
Relationship between application objects and service principals
The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.
An application object has:
- 1:1 relationship with the software application, and
- 1:many relationship with its corresponding service principal object(s).
Reiterating few points:
- An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application’s “home” tenant).
- An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used.
- A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant.
- Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).
- A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration.
- A multi-tenant application also has a service principal created in each tenant where a user from that tenant has consented to its use.
Conclusion :
App registration is globally unique instance of your app which lives in home tenant where app was registered. Service principle is local representation of your app which is used for all the management . Service principle enables your application to establish an identity for sign-in or access to resources.
Further Reading:
- I found this video very helpful.
Be Grateful ! Pray For Peace ! Keep Learning !