{
	"id": "2be17b3e-5925-4b4d-989f-f1cf7ece9536",
	"created_at": "2026-04-06T01:30:08.61323Z",
	"updated_at": "2026-04-10T03:20:55.011444Z",
	"deleted_at": null,
	"sha1_hash": "34a2bab8a94bbc66234cbabe31c32d3e5e3b45b7",
	"title": "Apps \u0026 service principals in Microsoft Entra ID - Microsoft identity platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 444087,
	"plain_text": "Apps \u0026 service principals in Microsoft Entra ID - Microsoft\r\nidentity platform\r\nBy cilwerner\r\nArchived: 2026-04-06 01:05:48 UTC\r\nThis article describes application registration, application objects, and service principals in Microsoft Entra ID,\r\nwhat they are, how they're used, and how they're related to each other. A multitenant example scenario is also\r\npresented to illustrate the relationship between an application's application object and corresponding service\r\nprincipal objects.\r\nTo delegate identity and access management functions to Microsoft Entra ID, an application must be registered\r\nwith a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you're creating an\r\nidentity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register\r\nan app, you choose whether it's a single tenant, or multitenant, and can optionally set a redirect URI. For step-by-step instructions on registering an app, see the app registration quickstart.\r\nWhen you've completed the app registration, you have a globally unique instance of the app (the application\r\nobject) that lives within your home tenant or directory. You also have a globally unique ID for your app (the\r\napp/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of\r\nyour app in the sign-in dialog, and more.\r\nIf you register an application, an application object and a service principal object are automatically created in your\r\nhome tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal\r\nobject is a separate step.\r\nA Microsoft Entra application is defined by its one and only application object, which resides in the Microsoft\r\nEntra tenant where the application was registered (known as the application's \"home\" tenant). An application\r\nobject is used as a template or blueprint to create one or more service principal objects. A service principal is\r\ncreated in every tenant where the application is used. Similar to a class in object-oriented programming, the\r\napplication object has some static properties that are applied to all the created service principals (or application\r\ninstances).\r\nThe application object describes three aspects of an application:\r\nHow the service can issue tokens in order to access the application\r\nThe resources that the application might need to access\r\nThe actions that the application can take\r\nYou can use the App registrations page in the Microsoft Entra admin center to list and manage the application\r\nobjects in your home tenant.\r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nPage 1 of 5\n\nThe Microsoft Graph Application entity defines the schema for an application object's properties.\r\nTo access resources that are secured by a Microsoft Entra tenant, the entity that requires access must be\r\nrepresented by a security principal. This requirement is true for both users (user principal) and applications\r\n(service principal). The security principal defines the access policy and permissions for the user/application in the\r\nMicrosoft Entra tenant. This enables core features such as authentication of the user/application during sign-in,\r\nand authorization during resource access.\r\nThere are three types of service principal:\r\nApplication - This type of service principal is the local representation, or application instance, of a global\r\napplication object in a single tenant or directory. In this case, a service principal is a concrete instance\r\ncreated from the application object and inherits certain properties from that application object. A service\r\nprincipal is created in each tenant where the application is used and references the globally unique app\r\nobject. The service principal object defines what the app can actually do in the specific tenant, who can\r\naccess the app, and what resources the app can access.\r\nWhen an application is given permission to access resources in a tenant (upon registration or consent), a\r\nservice principal object is created. When you register an application, a service principal is created\r\nautomatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI,\r\nMicrosoft Graph, and other tools.\r\nManaged identity - This type of service principal is used to represent a managed identity. Managed\r\nidentities eliminate the need for developers to manage credentials. Managed identities provide an identity\r\nfor applications to use when connecting to resources that support Microsoft Entra authentication. When a\r\nmanaged identity is enabled, a service principal representing that managed identity is created in your\r\ntenant. Service principals representing managed identities can be granted access and permissions, but can't\r\nbe updated or modified directly. A service principal representing a managed identity doesn't have an\r\nassociated app object (unlike the Application type above).\r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nPage 2 of 5\n\nLegacy - This type of service principal represents a legacy app, which is an app created before app\r\nregistrations were introduced or an app created through legacy experiences. A legacy service principal can\r\nhave credentials, service principal names, reply URLs, and other properties that an authorized user can edit,\r\nbut doesn't have an associated app registration. The service principal can only be used in the tenant where it\r\nwas created.\r\nThe Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.\r\nYou can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service\r\nprincipals in a tenant. You can see the service principal's permissions, user consented permissions, which users\r\nhave done that consent, sign in information, and more.\r\nThe application object is the global representation of your application for use across all tenants, and the service\r\nprincipal is the local representation for use in a specific tenant. The application object serves as the template from\r\nwhich common and default properties are derived for use in creating corresponding service principal objects.\r\nAn application object has:\r\nA one-to-one relationship with the software application, and\r\nA one-to-many relationship with its corresponding service principal objects\r\nA service principal must be created in each tenant where the application is used, enabling it to establish an identity\r\nfor sign-in and/or access to resources being secured by the tenant. A single-tenant application has only one service\r\nprincipal (in its home tenant), created and consented for use during application registration. A multitenant\r\napplication also has a service principal created in each tenant where a user from that tenant has consented to its\r\nuse.\r\nYou can find the service principals associated with an application object.\r\nBrowser\r\nPowerShell\r\nAzure CLI\r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nPage 3 of 5\n\nIn the Microsoft Entra admin center, navigate to the application registration overview. Select Managed\r\napplication in local directory.\r\nAny changes that you make to your application object are also reflected in its service principal object in the\r\napplication's home tenant only (the tenant where it was registered). This means that deleting an application object\r\nwill also delete its home tenant service principal object. However, restoring that application object through the app\r\nregistrations UI won't restore its corresponding service principal.\r\nFor applications that need temporary suspension rather than permanent deletion, you can deactivate the\r\napplication. Deactivation prevents new token issuance while preserving the application object and service\r\nprincipal for investigation or future reactivation.\r\nFor more information on deletion and recovery of applications and their service principal objects, see delete and\r\nrecover applications and service principal objects.\r\nThe following diagram illustrates the relationship between an application's application object and corresponding\r\nservice principal objects in the context of a sample multitenant application called HR app. There are three\r\nMicrosoft Entra tenants in this example scenario:\r\nAdatum - The tenant used by the company that developed the HR app\r\nContoso - The tenant used by the Contoso organization, which is a consumer of the HR app\r\nFabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app\r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nPage 4 of 5\n\nIn this example scenario:\r\nStep Description\r\n1 The process of creating the application and service principal objects in the application's home tenant.\r\n2\r\nWhen Contoso and Fabrikam administrators complete consent, a service principal object is created in\r\ntheir company's Microsoft Entra tenant and assigned the permissions that the administrator granted.\r\nAlso note that the HR app could be configured/designed to allow consent by users for individual use.\r\n3\r\nThe consumer tenants of the HR application (Contoso and Fabrikam) each have their own service\r\nprincipal object. Each represents their use of an instance of the application at runtime, governed by\r\nthe permissions consented by the respective administrator.\r\nLearn how to create a service principal:\r\nUsing the Microsoft Entra admin center\r\nUsing Azure PowerShell\r\nUsing Azure CLI\r\nUsing Microsoft Graph and then use Microsoft Graph Explorer to query both the application and service\r\nprincipal objects.\r\nSource: https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nhttps://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser"
	],
	"report_names": [
		"app-objects-and-service-principals?tabs=browser"
	],
	"threat_actors": [],
	"ts_created_at": 1775439008,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34a2bab8a94bbc66234cbabe31c32d3e5e3b45b7.pdf",
		"text": "https://archive.orkl.eu/34a2bab8a94bbc66234cbabe31c32d3e5e3b45b7.txt",
		"img": "https://archive.orkl.eu/34a2bab8a94bbc66234cbabe31c32d3e5e3b45b7.jpg"
	}
}