According to this documentation: Application and Service principal are clearly two different things. Application is the global identity and Service principal is per Tenant/AAD
But This Documentation and This Stack Overflow Question suggest they are the same.
To make it more confusing, When I used the Graph API (from the first reference) and queried by my application name:
https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'
I see a object Id, an Application ID (which I thought were the same), but no service principal ID in the Json
What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID) ? Thanks.
Short answer: Application and Service principal are definitely two different things (related in 1:many fashion but definitely different objects).
Working with Azure AD Graph API
Finding Application. As you already mentioned in question.
https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'
Finding Service Principal
https://graph.windows.net/<tenantName>/servicePrincipals?api-version=1.6&$filter=displayName eq '<Apllication Name>'
Small things to notice in json:
objectId
andobjectType
will be different for the application object and service principal object that you get back from above mentioned queries.- Properties like
appId
anddisplayName
are same since they are related to the same logical application.
Your question about - What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID)
Firstly, the link in your question Application and service principal objects in Azure Active Directory, is a great resource to understand concepts. I won't do a better job than that documentation to explain concepts, so do read through it more than once if needed. I will try to highlight some information to answer your specific queries though.
You can think of the application object that you retrieved from Azure AD Graph API above (or see in the App registrations section of Azure Portal > Azure Active Directory) as the single and main definition of the software application that you are developing and registering with Azure AD for identity purposes. NOTE: In case of multi-tenant applications you will find this application object only in the "home" tenant, where application was registered with Azure AD.
Service Principal (what you see under Enterprise applications section of Azure Portal > Azure Active Directory) on the other hand is something that will get created in every Azure AD tenant that wants to use this application. For the "home" tenant Service principal is created at the time of app registration, for all other tenants service principal is created at the time of consent.
So there will always be only 1 application object to represent application. There will be at least 1 service principal created at time of app registration. Although, as you start using a multi-tenant application from multiple tenants, 1 service principal will get created for every new Azure AD tenant where user gives consent for application. Hence the relation between application and service principal object becomes 1:many
appId
will be same for single application object that represents this application as well as it will be same for all service principals created for this application.objectId
will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD. It's a property that you will find with all Azure AD objects, like even a user, group or anything else with Azure AD.clientId
will be same asappId
. It will be relevant in context such as acquiring a token using one of the OAuth flows that Azure AD supports (say while writing code using ADAL libraries or using REST API to hit Azure AD token end points). It is not a direct property you will find with that exact name for an application or service principal object.
On a side note, the other two links that confused you are more of How to articles trying to get the job done rather than deeply explaining the concepts you're looking for. I don't think any documentation will explicitly say that application and service principal are same thing (since they are technically not). Although I can understand how it can get confusing sometimes, when application and service principal are used interchangeably when loosely referring to application in context of authentication related tasks.
Here is another SO post on similar topic with a good answer from Jean-Marc Prieur. It may not answer all your specific queries but certainly hits the concepts.
来源:https://stackoverflow.com/questions/54066287/azure-service-principal-id-vs-application-id