Azure Application Objects And Service Principals

App Registrations And Microsoft Entra

To delegate identity and access management Entra, an application must be registered with a tenant. This creates a globally unique instance of the app (the application object) that lives within your home tenant or directory and a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

The Application Object

The Application Object is what you see under App Registrations in AAD. This object acts as the template to create one or more service principals and also configure things like API Permissions, Client Secrets, Branding, App Roles, etc and is global across all tenants. All these customizations that you make to your app, get written to the app manifest file. The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take. 

The Service Principal

The entity (user or application) that requires access to resources secured by an Entra tenant must be represented by a user/service principal which is a concrete instance created from the application object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. 

Managed Identity

This is a type of service principal that removes the needs for developers to manage security credentials. A managed identity manages the creation and automatic renewal of a service principal on your behalf.

System Assigned Managed Identity

Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. In this case:

• • A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.

  • By design, it can only be associated with a single resource and only that Azure resource can use this identity to request tokens from Microsoft Entra ID.

  • You authorize the managed identity to have access to one or more services.

  • The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.

User-assigned

You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:

• • A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.

  • User-assigned identities can be used by multiple resources.

  • You authorize the managed identity to have access to one or more services.