Azure App Registration and Service Principal

Question

i already know the difference between App Registration and Service Principal in Azure.There is also a good explanation in this post Difference between "enterprise application" and "app registration" in Azure.

However when an app registration is created,an application ID and a secret or certificate is created.In same time within a tenant is created also the service principal which refers to app registration.

So my question would be,do app registration and service principal have the same secret?If the secret for app registration expires and i update it,what happens with the secret of service principal,is it also updated? And vice versa, the secret for service principal expires and i update it, what happens with the secret of app registration,is it also updated?I guess no because the service principal inherits the setting from app registration.

Any explanation about the relationship between app registration's secret and service principal'secret would be helpful.

Update 31.01.2020 i have an app registration called sp-acr-mit-pull and also a corresponding service principal which refers to this app reg. and of course both have same app id and different objectid

Now if check the endDate of app registration,it is empty

If if check the endDate of SP,it shows me the expiry date

If i perform an update of service principal via command

az ad sp credential reset --name sp-acr-mit-pull --years 2

the opposite happen,i can see the new expiry date for the app registration and the old one for the serviceprincipal.

Answer 1

However when an app registration is created,an application ID and a secret or certificate is created.In same time within a tenant is created also the service principal which refers to app registration.

This is only when you create App Registration from Portal. In portal both are created simultaneously when an app is registered in Azure AD. But in CLI, PowerShell or any other programming way it is done manually by creating a app registration first and then associating it with the service Principal.

So my question would be,do app registration and service principal have the same secret?If the secret for app registration expires and i update it,what happens with the secret of service principal,is it also updated? And vice versa, the secret for service principal expires and i update it, what happens with the secret of app registration,is it also updated?I guess no because the service principal inherits the setting from app registration.

Both App registration and Service Principal Secret are used by one Azure AD client , So creating either depends on your requirement .

The secret of the App registration can be seen from Portal whereas its not the same for the secret of Service Principal. So , the App registration and Service Principal have the same secret but are independent of each other.

So , For example , if you create a secret for service principal from cli/any command (which is the only way to create secret for service principal as of now) , then you will have to auto rotate it as well because the service principal secret will not be visible from portal . But at the same time if you create a secret for app registration then even if you forget to rotate it , it will be visible from portal as expired and you can rotate it then .

For More details on the difference and relationship between App registration and Service Principal , you can refer this Microsoft Documentation.