问题
I've got a service principal in Azure which was created when i turned on Managed Service Identity for one of my Azure assets. I'd like to grant permissions to this SP using the App Registrations area in the portal (I know I can do it with New-AzureADServiceAppRoleAssignment, but I'd like to create an application in this case).
The Service Principal has an associated application whose guid is visible in the Enterprise Applications section of the AAD blade, but that application id isn't visible in the app registrations section and Get-AzureRmADApplication doesn't see it either.
Can I use powershell or the REST API to somehow change make the application associated with the MSI's service principal show up in this area?
回答1:
If you enable the MSI, it will create a service principal automatically.
The Service Principal has an associated application whose guid is visible in the Enterprise Applications section of the AAD blade
What you have seen in the Enterprise Applications is also called service principal. You could understand that the Enterprise Application equals service principal.
but that application id isn't visible in the app registrations section and Get-AzureRmADApplication doesn't see it either.
If you create app registration, it will also create a service principal in the Enterprise Applications. But if you enable MSI, there will not be an AD app(app registration). You could not make the Enterprise Application(service principal) show up in the App registration. Also, when you granting permission to an AD app, it essentially grants the permission to the service principal.
For more details about App registration and Service principal, refer to this link.
来源:https://stackoverflow.com/questions/51792016/surface-the-application-associated-to-a-managed-service-identity-service-princip