发表新帖
发表新帖

AZURE Active Directory - What is the difference between a Service Principal and an Enterprise Application?

前端 未结
关注
2 1985
我寻月下人不归
我寻月下人不归 2021-02-13 17:16

Three topics in Azure AD I\'m constantly confused on:

  1. Service Principal
  2. Enterprise Application
  3. App Registration

What is the differ

2条回答
  • 孤城傲影
    孤城傲影 (楼主)
    2021-02-13 18:11

    This is indeed confusing and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little be confusing for this part, it only started to make some sense when I used Azure CLI for it.

    To access Azure resources programmatically we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.

    Weird part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments). Same process using CLI makes more sense.

    Using Azure CLI

    1. Register/create app
    $ az ad app create --display-name "displayName"
    1. Create service principal for the app just created
    $ az ad sp create --id "applicationId"
    1. Set application credentials
     $ az ad app credential reset --credential-description "some_description" --id "applicationId"

    OR

    $ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append
    1. Assign roles to Service Principal to access resources in Azure.
    $ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name

    And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.

    $ az ad sp create-for-rbac --name "service_principal_name"

    This will create application, service principal, set credentials on app, assign Contributor role to service principal and print the credentials !!

    Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.

    'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.

    1. Service Principal and Application registration should be in same tenant.
    2. Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )

    Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.

    $ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp

    0 讨论(0)
 看不清?
提交回复
热议问题