Reputation: 77
Service principals created by app registration - mandatory?
When I register an application, a service principal is created. My understanding is that when the application was registered in Azure AD, the application object is what contains the config in terms of how tokens can be issued, resources that can be accessed, and the actions that the application can take.
The automatically generated service principal inherits from this application object.
I have an application registered that has permission to make calls to the Azure Storage API, with permissions defined as being "user_permissisons", i.e., permissions will be determined by the AAD group memberships the user in question has.
However, I notice that when a user uses the application and authenticates themselves/authorises the application to access Azure Storage resources on their behalf, they now appear under the service principal (documented in the Enterprise Applications section of the Azure portal) 'User and Groups' section. They are detailed as being users with "Default Access".
Which mechanism is this? What role is the service principal playing? Does the user's authorisation mean that they are added to the service principal, thus allowing them to access Azure storage through the application? Is that what users are consenting to; having themselves added to the service principal? Thanks!
Upvotes: 0
Views: 279
Answers (1)
Reputation: 16438
I find why my behavior is different from yours.
I click on "Grant admin consent for {my tenant}" in app registration in advance. So the user consent prompt doesn't pop up for me.
If I revoke the admin consent, when I do user consent for a user, it does appear in the enterprise app.
I don't think you need to pay attention to this behavior. But I can tell that it should has no effect on whether users are authorized to log in to the App.
What really works is this:
As long as the user appears in the consented users list, it is authorized to log in to the App.
You can delete the users from Users and groups and it will not have any effect.
Please note that if you configure User assignment required? toggle to Yes, adding users to Users and groups is necessary.
UPDATE:
At what stage of app registration does "Grant admin consent for {my tenant}" appear for you?
After you add any permissions, you can click on "Grant admin consent for {my tenant}" here (it requires you to be at least an application admin):
Upvotes: 0
Related Questions
- What are the differences between Service Principal and App Registration?
- azure permission to create "service principal"
- What Role or Scopes Does An Azure Service Principal Need to Create Applications
- How to create a service principal without app, and create an app without service principal in Azure AD
- how I can make an service principal as an App Registration Owner with azure portal or PowerShell?
- Azure App Registration and Service Principal
- Why do I need App Registartion in Azure and how do they relate to my App Service?
- azure App registration using powershell does not create a service principal
- How to create Service Principal of Multi-tenant Application
- Azure Active Directory application and service principals