This article describes application registration, application objects, and service principals in Microsoft Entra ID, what they are, how they're used, and how they're related to each other. A multitenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.

Application registration

To delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you're creating an identity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register an app, you choose whether it's a single tenant, or multitenant, and can optionally set a redirect URI. For step-by-step instructions on registering an app, see the app registration quickstart.

When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

If you register an application, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.

Application object

A Microsoft Entra application is defined by its one and only application object, which resides in the Microsoft Entra tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

The application object describes three aspects of an application:

  • How the service can issue tokens in order to access the application
  • The resources that the application might need to access
  • The actions that the application can take

You can use the App registrations page in the Microsoft Entra admin center to list and manage the application objects in your home tenant.

App registrations blade

The Microsoft Graph Application entity defines the schema for an application object's properties.

Service principal object

要访问由Microsoft Entra租户保护的资源,需要访问的实体必须由安全主体表示。这个需求对于用户(用户主体)和应用程序(服务主体)都是正确的。安全主体为Microsoft Entra租户中的用户/应用程序定义访问策略和权限。这支持一些核心特性,例如在登录期间对用户/应用程序进行身份验证,以及在资源访问期间进行授权。

服务主体有三种类型:

  • 应用程序——这种类型的服务主体是单个租户或目录中全局应用程序对象的本地表示或应用程序实例。在这种情况下,服务主体是从应用程序对象创建的具体实例,并从该应用程序对象继承某些属性。在使用应用程序的每个租户中创建服务主体,并引用全局唯一的应用程序对象。服务主体对象定义了应用在特定租户中实际可以做什么,谁可以访问应用,以及应用可以访问哪些资源。
    • 当应用程序被授予访问租户资源的权限(经过注册或同意)时,就创建了服务主体对象。注册应用程序时,将自动创建服务主体。您还可以使用Azure PowerShell、Azure CLI、Microsoft Graph和其他工具在租户中创建服务主体对象。
  • 受管身份——这种类型的服务主体用于表示受管身份。托管身份消除了开发人员管理凭据的需要。托管身份为连接到支持Microsoft Entra身份验证的资源的应用程序提供了一个身份。启用托管标识后,将在租户中创建表示该托管标识的服务主体。表示受管理身份的服务主体可以被授予访问和权限,但不能直接更新或修改。
  • 遗留——这种类型的服务主体代表遗留应用,它是在引入应用注册之前创建的应用,或者是通过遗留体验创建的应用。遗留服务主体可以具有凭据、服务主体名称、回复url和授权用户可以编辑的其他属性,但没有关联的应用程序注册。服务主体只能在创建它的租户中使用。

The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties.

You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

Enterprise apps blade

应用程序对象和服务主体之间的关系

应用程序对象是跨所有租户使用的应用程序的全局表示,而服务主体是在特定租户中使用的本地表示。应用程序对象充当模板,从中派生公共属性和默认属性,用于创建相应的服务主体对象。

一个应用程序对象有:

  • 与软件应用程序的一对一关系,以及
  • 与其对应的服务主体对象之间的一对多关系

必须在使用应用程序的每个租户中创建服务主体,使其能够为登录和/或访问由租户保护的资源建立标识。单租户应用程序只有一个服务主体(在其主租户中),在应用程序注册期间创建并同意使用。多租户应用程序还在每个租户中创建一个服务主体,其中来自该租户的用户已同意使用该服务主体。

List service principals associated with an app

You can find the service principals associated with an application object.

In the Microsoft Entra admin center, navigate to the application registration overview. Select Managed application in local directory.

Screen shot that shows the Managed application in local directory option in the overview.

Consequences of modifying and deleting applications

Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see delete and recover applications and service principal objects.

Example

The following diagram illustrates the relationship between an application's application object and corresponding service principal objects in the context of a sample multitenant application called HR app. There are three Microsoft Entra tenants in this example scenario:

  • Adatum - The tenant used by the company that developed the HR app
  • Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app


In this example scenario:

Step Description
1 The process of creating the application and service principal objects in the application's home tenant.
2 When Contoso and Fabrikam administrators complete consent, a service principal object is created in their company's Microsoft Entra tenant and assigned the permissions that the administrator granted. Also note that the HR app could be configured/designed to allow consent by users for individual use.
3 The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator.

Next steps

Learn how to create a service principal: