Service Principal Accounts Management
Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
To access resources that are secured by an Microsoft Entra ID tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Microsoft Entra ID tenant.
With this feature, the connector supports managing such Service Principals for enterprise applications as Accounts.
Note
To gauge the probability of compromised service principals (workload identities) accounts in your environment. Refer to Risky Service Principal Alert Feature for more information.
Supported Operations
The following operations are supported for the Azure Service Principal:
Operations |
Service Principal |
---|---|
Aggregation |
Yes |
Partitioning Aggregation |
Yes |
Get Account |
Yes |
Create |
Yes |
Update Basic and Non-Basic (Certificates and Secrets, Owners, etc.) Attributes |
Yes |
Delete |
Yes |
Enable and Disable Users |
Yes |
Add and Remove Entitlements
|
Yes |
Administrator Permissions
Purpose |
Permissions |
---|---|
Aggregation of Service Principals |
Application.Read.All |
Create and Update Service Principals |
Application.ReadWrite.All |
Add and Remove Owners |
Application.ReadWrite.OwnedBy |
Add and Remove Application Roles for Service Principals |
AppRoleAssignment.ReadWrite.All |
Aggregation of Application Roles |
Application.Read.All |
Aggregation and Add/Remove Microsoft Entra ID Group and Roles for Service Principals |
Refer to Required Permissions. |
Aggregation and Add/Remove RBAC Roles for Service Principals |
Refer to Group Attributes for Azure Cloud Objects. |
Aggregation and Add/Remove PIM Azure Active and Microsoft Entra ID Roles for Service Principals |
|
Aggregation of Admin/User Consented Permissions for Service Principals |
DelegatedPermissionGrant.Read.All |
Add/Remove Admin Consented Delegated Permissions for Service Principals |
DelegatedPermissionGrant.ReadWrite.All |
Remove User Consented Delegated Permissions for Service Principals |
DelegatedPermissionGrant.ReadWrite.All |
Supported Schema Attributes
To aggregate service principal related information for the user during account aggregation, ensure that the service principal attributes are present in the account schema. For more information, refer to Service Principal as Accounts Attributes.
Supported Provisioning Attributes
To provision service principal related information, ensure that the attributes in Create Policy for Service Principal are present in your provisioning policy.
Deleting Service Principal
For more information on deleting the service principal while retaining the corresponding application, refer to Additional Configuration Parameters.
Managing Admin Consented Permissions
For more information on enabling the flag to manage admin consented permissions for service principals, refer to Additional Configuration Parameters.
Note
This is for delegated permissions.