Relationship between Service Principal and Client Secret

Somansh Reddy 136 Reputation points
2020-09-03T17:36:17.197+00:00

Is the Client Secret a password for the Service Principal? Or is it a password for the global application object itself?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
644 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,105 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,346 Reputation points Microsoft Employee
    2020-09-04T21:46:39.423+00:00

    @Somansh Reddy
    I hope this helps!

    Application Object:
    An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered. The App registrations blade in the Azure portal is used to list and manage the application objects in your home tenant.

    22755-appreg.jpg

    Service Principle Object:
    A service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

    The Enterprise applications blade in the portal is used to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

    22756-serviceprinciples.jpg

    Global Application Object
    The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

    Client Secret:
    A client secret is a secret string that the application uses to prove its identity when requesting a token, this can also can be referred to as an application password.
    22801-clientsecret.jpg

    This client secret belongs to the Application Object/Global Application Object (App Registration), and from my understanding, since the Service Principle is a local representation or instance of that application object, it has access to the client secret to establish an identity for sign-in and/or access to resources being secured by the tenant.

    Please let me know if you have any other questions.
    Thank you for your time!

    4 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Vasil Michev 92,596 Reputation points MVP
    2020-09-04T07:17:36.843+00:00

    It's for the global app object.

    1 person found this answer helpful.

  2. Bhanot Ravi 31 Reputation points
    2020-09-04T18:27:53.853+00:00

    Hi Michev,

    I think client secret is a password for Service Principal and is local representation of application in a Tenant. Application object is global application of the application to be used across all Tenants.

    Hi SomanshReddy-4380, I think when client secret is being created, that is the distinguish credential for each Service Principal and for application.

    That is my thoughts, but let's see if someone else from the community can help us in our understanding.

    Thanks,
    Ravi

    1 person found this answer helpful.
    0 comments No comments