Login/Register
Azure: Service Principal ID vs Application ID
Asked Answered
Solved azure-active-directoryazure-ad-graph-apiazure-authenticationazure-security
G

1

29

According to this documentation: Application and Service principal are clearly two different things. Application is the global identity and Service principal is per Tenant/AAD

But This Documentation and This Stack Overflow Question suggest they are the same.

To make it more confusing, When I used the Graph API (from the first reference) and queried by my application name:

https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'

I see a object Id, an Application ID (which I thought were the same), but no service principal ID in the Json

What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID) ? Thanks.

Gaddy answered 6/1, 2019 at 21:52 Comment(0)
K
42

Short answer: Application and Service principal are definitely two different things (related in 1:many fashion but definitely different objects).

Working with Azure AD Graph API

Finding Application. As you already mentioned in question.

https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'

Finding Service Principal

https://graph.windows.net/<tenantName>/servicePrincipals?api-version=1.6&$filter=displayName eq '<Apllication Name>'

Small things to notice in json:

  1. objectId and objectType will be different for the application object and service principal object that you get back from above mentioned queries.
  2. Properties like appId and displayName are same since they are related to the same logical application.

Your question about - What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID)

Firstly, the link in your question Application and service principal objects in Azure Active Directory, is a great resource to understand concepts. I won't do a better job than that documentation to explain concepts, so do read through it more than once if needed. I will try to highlight some information to answer your specific queries though.

You can think of the application object that you retrieved from Azure AD Graph API above (or see in the App registrations section of Azure Portal > Azure Active Directory) as the single and main definition of the software application that you are developing and registering with Azure AD for identity purposes. NOTE: In case of multi-tenant applications you will find this application object only in the "home" tenant, where application was registered with Azure AD.

Service Principal (what you see under Enterprise applications section of Azure Portal > Azure Active Directory) on the other hand is something that will get created in every Azure AD tenant that wants to use this application. For the "home" tenant Service principal is created at the time of app registration, for all other tenants service principal is created at the time of consent.

So there will always be only 1 application object to represent application. There will be at least 1 service principal created at time of app registration. Although, as you start using a multi-tenant application from multiple tenants, 1 service principal will get created for every new Azure AD tenant where user gives consent for application. Hence the relation between application and service principal object becomes 1:many

  • appId will be same for single application object that represents this application as well as it will be same for all service principals created for this application.
  • objectId will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD. It's a property that you will find with all Azure AD objects, like even a user, group or anything else with Azure AD.
  • clientId will be same as appId. It will be relevant in context such as acquiring a token using one of the OAuth flows that Azure AD supports (say while writing code using ADAL libraries or using REST API to hit Azure AD token end points). It is not a direct property you will find with that exact name for an application or service principal object.

On a side note, the other two links that confused you are more of How to articles trying to get the job done rather than deeply explaining the concepts you're looking for. I don't think any documentation will explicitly say that application and service principal are same thing (since they are technically not). Although I can understand how it can get confusing sometimes, when application and service principal are used interchangeably when loosely referring to application in context of authentication related tasks.

Here is another SO post on similar topic with a good answer from Jean-Marc Prieur. It may not answer all your specific queries but certainly hits the concepts.

Kataway answered 7/1, 2019 at 0:0 Comment(8)
Thank you for the great answer! Especially for talking about objectIds, how to see a SP Id etc. So when giving access to an Azure resource, through RBAC/Access Control IAM Blade or Data Lake ACLs is it the Application or Service Principal we are giving access to (since both have the same display name?) learn.microsoft.com/en-us/azure/data-lake-store/…Gaddy
May I also shamelessly point you to my other related question: #54055572Gaddy
@Gaddy you're very welcome. I am not very familiar with Data Lake but as per my general understanding it will be the Service Principal in that particular Azure AD tenant.. I'll checkout your other question as well to see if I can be of any help.Kataway
This is great. I was about to ask a similar question. @RohitSaigal So if I get this right, within the home tenant, there is a 1:1 relationship between the Application and the SP. The 1:many only comes into effect if you have other tenants that require access to the same application. So in the case of a single tenant application, you could ALMOST use the terms application and sp synonymously. Hence, I guess the confusion.Shikari
So when I need to input a principal_id. For example, as needed here to create new role assignment learn.microsoft.com/en-us/python/api/azure-mgmt-authorization/…. Do I use appId or objectId?Cavit
@Cavit objectId of the service principal.Afterburning
While this is a old thread maybe someone of you can enlighten me. Why do we create credentials on the App Registration (also what the Portal does) instead of creating credentials on the SP. My research and this post definitely shows that the SP is the entity linked in RBAC and still the credentials are created on the App Registration. Makes no sense to me. Wouldn't that mean that every SP even in other tenants can use my credential set. So confusing and I can't find proper resources. ThanksMitchmitchael
@RohitSaigal When you say "clientId will be same as appId" you don't mean the literal id value will be the same right? Because they are different in value. Do you mean they serve the same purpose in general?Rambow

© 2022 - 2024 — McMap. All rights reserved.