Azure AD: Enterprise Applications, Service Principals, and App Registrations

Jun 27, 2024

Take quiz

Review flashcards

Azure Active Directory: Enterprise Applications, Service Principals, and App Registrations

Introduction

  • Deep dive into Azure AD components:
    • Enterprise applications
    • Service principals
    • App registrations
  • Focus on understanding the 'why' before the 'what'

Key Concepts and Components

Resource Owner and Server

  • Resource Owner: Holds the data (emails, pictures, address book, etc.)
  • Resource Server: Hosts the data and exposes an API
  • Scopes: Permissions/actions on the data (e.g., read, write, send)
  • Authorization Server: Authenticates and authorizes the Resource Owner
    • Performs OAuth2 for authorization and OpenID Connect for authentication

Client Applications

  • Clients: Apps that access resource server on behalf of the user
    • Types: Mobile app, web server, single-page app, etc.
  • Registration: Clients must register with the authorization server
    • Given Client ID and optional secret (could be a certificate)

OAuth2 Flow

Authorization Process

  1. Client Registration: Register with authorization server; get client ID and optionally secret/cert.
  2. User Interacts: User accesses the client to perform a task.
  3. Authentication & Consent:
    • Redirects to authorization server with client ID, scopes, and redirection URL.
    • User authenticates and consents.
  4. Authorization Code: Given to client upon consent.
  5. Token Exchange: Client exchanges authorization code for access and refresh tokens.
    • Can include proof key to ensure secure authorization code exchange (PKCE).

Client Types

  • Confidential Clients: Can keep secrets (e.g., web server)
  • Public Clients: Cannot keep secrets (e.g., browser app, native app)

Tokens

  • Access Token: Used to access the resource server
  • Refresh Token: Used to obtain new access tokens without re-authentication

Application in Azure AD Context

App Registration and Service Principals

  • App Registration: Registers an application in Azure AD
    • Given globally unique Client ID
    • Can be single or multi-tenant
  • Service Principal: Local representation of app in every tenant that uses the app
    • Handles management, consent tracking, and scope configuration
    • Created automatically upon user/tenant consent
    • Listed under Enterprise Applications in Azure AD

Multi-Tenant Considerations

  • When a different tenant wants to use the app:
    • Initial user/enterprise admin consents
    • Azure AD creates a Service Principal in the new tenant referencing the original app object

Administration

  • Admins can configure user consent settings:
    • Control which users can consent to new apps
    • Pre-consent on behalf of all users in the tenant

Summary

  • App Registration: Developer registers app, creating a single globally unique app object.
  • Service Principal: Created in each tenant that uses the app.
  • Enterprise Applications: Lists service principals for apps used within a tenant.

Conclusion

  • Ensures secure, manageable access delegation through Azure AD.
  • Watch the lecture again for clarity and a deep understanding.

Please like, subscribe, comment, share if this was useful.