【Microsoft Entra】Microsoft Entra ID中的应用程序和服务主体对象

This article describes application registration, application objects, and service principals in Microsoft Entra ID, what they are, how they're used, and how they're related to each other. A multitenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.

To delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you're creating an identity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register an app, you choose whether it's a single tenant, or multitenant, and can optionally set a redirect URI. For step-by-step instructions on registering an app, see the app registration quickstart.

When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

If you register an application, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.

A Microsoft Entra application is defined by its one and only application object, which resides in the Microsoft Entra tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

The application object describes three aspects of an application:

• How the service can issue tokens in order to access the application
• The resources that the application might need to access
• The actions that the application can take

You can use the App registrations page in the Microsoft Entra admin center to list and manage the application objects in your home tenant.

The Microsoft Graph Application entity defines the schema for an application object's properties.

要访问由Microsoft Entra租户保护的资源，需要访问的实体必须由安全主体表示。这个需求对于用户(用户主体)和应用程序(服务主体)都是正确的。安全主体为Microsoft Entra租户中的用户/应用程序定义访问策略和权限。这支持一些核心特性，例如在登录期间对用户/应用程序进行身份验证，以及在资源访问期间进行授权。

服务主体有三种类型:

• 应用程序——这种类型的服务主体是单个租户或目录中全局应用程序对象的本地表示或应用程序实例。在这种情况下，服务主体是从应用程序对象创建的具体实例，并从该应用程序对象继承某些属性。在使用应用程序的每个租户中创建服务主体，并引用全局唯一的应用程序对象。服务主体对象定义了应用在特定租户中实际可以做什么，谁可以访问应用，以及应用可以访问哪些资源。
  • 当应用程序被授予访问租户资源的权限(经过注册或同意)时，就创建了服务主体对象。注册应用程序时，将自动创建服务主体。您还可以使用Azure PowerShell、Azure CLI、Microsoft Graph和其他工具在租户中创建服务主体对象。
• 受管身份——这种类型的服务主体用于表示受管身份。托管身份消除了开发人员管理凭据的需要。托管身份为连接到支持Microsoft Entra身份验证的资源的应用程序提供了一个身份。启用托管标识后，将在租户中创建表示该托管标识的服务主体。表示受管理身份的服务主体可以被授予访问和权限，但不能直接更新或修改。
• 遗留——这种类型的服务主体代表遗留应用，它是在引入应用注册之前创建的应用，或者是通过遗留体验创建的应用。遗留服务主体可以具有凭据、服务主体名称、回复url和授权用户可以编辑的其他属性，但没有关联的应用程序注册。服务主体只能在创建它的租户中使用。

The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

You can find the service principals associated with an application object.

Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see delete and recover applications and service principal objects.

The following diagram illustrates the relationship between an application's application object and corresponding service principal objects in the context of a sample multitenant application called HR app. There are three Microsoft Entra tenants in this example scenario:

• Adatum - The tenant used by the company that developed the HR app
• Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
• Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

In this example scenario:

Learn how to create a service principal:

• Using the Microsoft Entra admin center
• Using Azure PowerShell
• Using Azure CLI
• Using Microsoft Graph and then use Microsoft Graph Explorer to query both the application and service principal objects.