question

StephanG avatar image
0 Votes"
StephanG asked vipulsparsh-MSFT commented

AAD Service User or Enterprise App / App registration - what to prefer?

Hi everyone,

after moving to the cloud more and more "extra" solutions are deployed into our tenant.
Some of them use "service user" (license needed) and some of them leverage "enterprise apps" - some use both.

How to best secure these service user and apps? And is there a best practice - what to use?
I am no developer so i have no clue how to best develop integrations into the M365 environment.

BR
Stephan

azure-ad-user-managementazure-ad-enterpriseapps
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@StephanG Here is the difference :


All applications that get registered in AAD, in the tenant, two types of objects get created once the app registration is done.

  • Application Object

  • Service Principal Object

The Application Object is what you see under App Registrations in AAD. This object acts as the template where you can go ahead and configure various things like API Permissions, Client Secrets, Branding, App Roles, etc. All these customizations that you make to your app, get written to the app manifest file. The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.

The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object (created through the Azure Portal or using the Microsoft Graph APIs, or AzureAD PS Module) would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

Read more.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered vipulsparsh-MSFT commented

Thanks for the quick response.. but that i already found.

I meant that some of the deployed solutions use "real AAD user accounts" - e.g SA_YammerManager@mytenant.onmicrosoft.com
How to best secure them?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@StephanG Here are few things you can do. All though the complete list might not be applicable to you.



0 Votes 0 ·
StephanG avatar image
0 Votes"
StephanG answered vipulsparsh-MSFT commented

Thanks @vipulsparsh-MSFT we have done that for all our normal users already.
But most settings are not suitable for service accounts because they execute without user interaction from many source IPs (Azure web app). So question is - is every task a service user can do also possible with an enterprise app?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.