category
This article describes application registration, application objects, and service principals in Microsoft Entra ID, what they are, how they're used, and how they're related to each other. A multitenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects. To delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you're creating an identity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register an app, you choose whether it's a single tenant, or multitenant, and can optionally set a redirect URI. For step-by-step instructions on registering an app, see the app registration quickstart. When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more. If you register an application, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step. A Microsoft Entra application is defined by its one and only application object, which resides in the Microsoft Entra tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances). The application object describes three aspects of an application: You can use the App registrations page in the Microsoft Entra admin center to list and manage the application objects in your home tenant. The Microsoft Graph Application entity defines the schema for an application object's properties. 要访问由Microsoft Entra租户保护的资源,需要访问的实体必须由安全主体表示。这个需求对于用户(用户主体)和应用程序(服务主体)都是正确的。安全主体为Microsoft Entra租户中的用户/应用程序定义访问策略和权限。这支持一些核心特性,例如在登录期间对用户/应用程序进行身份验证,以及在资源访问期间进行授权。 服务主体有三种类型: The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties. You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more. 应用程序对象和服务主体之间的关系 应用程序对象是跨所有租户使用的应用程序的全局表示,而服务主体是在特定租户中使用的本地表示。应用程序对象充当模板,从中派生公共属性和默认属性,用于创建相应的服务主体对象。 一个应用程序对象有: 必须在使用应用程序的每个租户中创建服务主体,使其能够为登录和/或访问由租户保护的资源建立标识。单租户应用程序只有一个服务主体(在其主租户中),在应用程序注册期间创建并同意使用。多租户应用程序还在每个租户中创建一个服务主体,其中来自该租户的用户已同意使用该服务主体。 You can find the service principals associated with an application object. In the Microsoft Entra admin center, navigate to the application registration overview. Select Managed application in local directory. Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see delete and recover applications and service principal objects. The following diagram illustrates the relationship between an application's application object and corresponding service principal objects in the context of a sample multitenant application called HR app. There are three Microsoft Entra tenants in this example scenario: In this example scenario: Learn how to create a service principal:
Application registration
Application object
Service principal object
List service principals associated with an app
Consequences of modifying and deleting applications
Example
Step
Description
1
The process of creating the application and service principal objects in the application's home tenant.
2
When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Microsoft Entra tenant and assigned the permissions that the administrator granted. Also note that the HR app could be configured/designed to allow consent by users for individual use.
3
The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.
Next steps
- 登录 发表评论
- 5 次浏览
最新内容
- 6 hours 32 minutes ago
- 8 hours ago
- 9 hours ago
- 3 days ago
- 3 days 7 hours ago
- 3 days 7 hours ago
- 3 days 8 hours ago
- 3 days 8 hours ago
- 1 week ago
- 1 week ago