Service Principal as Accounts Attributes

Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have IdentityIQ Cloud Governance license. If you already have a Cloud Access Management (CAM) license, no additional license purchase is required. Contact your SailPoint Customer Success Manager to request access and for more information.

To manage Service Principals, following lists the attributes that are present in the account schema:

Schema Attribute Name

Type

Description

objectId

String

The ID of the user, service principal, or managed identity.

This is an Identity Attribute that must not be changed.

accountEnabled

Boolean

This is set to true if the user, service principal, or managed identity is enabled. Otherwise, this is set to false.

spn_appDisplayName

String

The display name for the application.

spn_app_Description

String

This is a free-text field for providing the description of the application object to end users. The maximum size is 1024 characters.

spn_appId

String

This is the unique identifier for the application that is assigned to an application by Microsoft Entra ID.

spn_applicationTemplateId

String

This is the unique identifier of the application template.

spn_appOwnerOrganizationId

String

This contains the tenant ID where the application is registered.

spn_createdDateTime

String

This is the date and time the application was registered.

spn_homepage

String

This is the home page or landing page of the application.

spn_loginUrl

String

Displays the URL where the service provider redirects the user to Microsoft Entra ID to authenticate.

spn_logoutUrl

String

Displays the URL that will be used by Microsoft's authorization service to log out a user.

description

String

The description that is displayed in the address book for the user or service principal.

displayName

String

The name displayed in the address book for the user or service principal.

spn_servicePrincipalType

String

Identifies whether the service principal represents an application, managed identity, or legacy application.

spn_signInAudience

 

Displays the Microsoft accounts that are supported for the current application.

spn_passwordCredentials

String

Multi

The collection of password credentials associated with the application.

spn_keyCredentials

String

Multi

The collection of key credentials associated with the service principal.

spn_tags

String

Multi

The custom strings that can be used to categorize and identify the service principal.

spn_app_owners

Note

Both Users and Applications (corresponding SPN) can be owners.

For consistency, the following are shown:

  • owner type :: displayName :: object Id

    Where owner type will either be SPN or User

String

Mutli

Directory objects that are owners of the application.

spn_owner

Note
Only Users can be owners of SPN. Showing displayName :: ObjectId

String

Multi

Directory objects that are owners of this servicePrincipal.

spn_app_passwordCredentials

Multi

The collection of password credentials associated with the application.

spn_app_keyCredentials

Multi

The collection of key credentials associated with the service principal.

spn_appRoles

String

Multi

The roles exposed by the application that this service principal represents.

appRoleAssignments

applicationRole

Multi

Managed

Lists the associated application roles for the Account. This is a multi-valued, entitlement, and managed attribute.

groups

group

Multi

Managed

Lists the associated groups for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute.

roles

roles

Multi

Managed

Lists the associated Microsoft Entra ID Roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute.

azureActiveRoles

azureActiveRole

Multi

Managed

Lists the associated Azure active roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute.

azureADActiveRoles

azureADActiveRole

Multi

Managed

Lists the associated Microsoft Entra ID roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute.

azureRoleAssignements

azureRoleAssignment

Multi

Managed

Lists the associated RBAC roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute.

spn_adminConsentedPermissions

adminConsentedPermission

Multi

Managed

Entitlement

Lists the associated Azure admin consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute.

spn_userConsentedPermissions

String

Multi

Managed

Entitlement

Lists the associated Azure user consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute.

Sample schema XML for managing service principals as accounts:

Copy
<Schema created="" displayAttribute="displayName" id="" identityAttribute="objectId" instanceAttribute="" modified="" nativeObjectType="account" objectType="account" significantModified="">  
    
      <AttributeDefinition name="accountEnabled" type="boolean">
        <Description>True if the account is enabled; otherwise, false</Description>
      </AttributeDefinition>

  <AttributeDefinition entitlement="true" managed="true" multi="true" name="azureRoleAssignments" schemaObjectType="azureRoleAssignment" type="string">
    <Description>Azure Role Assignments assigned to user</Description>
  </AttributeDefinition>
  
  <AttributeDefinition name="displayName" type="string">
    <Description>The name displayed in the address book for the user</Description>
  </AttributeDefinition>
  
  <AttributeDefinition entitlement="true" managed="true" multi="true" name="groups" schemaObjectType="group" type="string">
    <Description>Groups assigned to a user</Description>
  </AttributeDefinition>
  <AttributeDefinition entitlement="true" managed="true" multi="true" name="appRoleAssignments" schemaObjectType="applicationRole" type="string">
    <Description>Application roles assigned to a user</Description>
  </AttributeDefinition>
  
  <AttributeDefinition name="objectId" type="string">
    <Description>The unique identifier for the user</Description>
  </AttributeDefinition>
  
  <AttributeDefinition entitlement="true" managed="true" multi="true" name="roles" schemaObjectType="role" type="string">
    <Description>Administrator Role assigned to user</Description>
  </AttributeDefinition>
  
  
  <AttributeDefinition entitlement="true" managed="true" multi="true" name="azureActiveRoles" schemaObjectType="azureActiveRole" type="string">
    <Description>List of Azure Active Roles</Description>
  </AttributeDefinition>
 
  <AttributeDefinition entitlement="true" managed="true" multi="true" name="azureADActiveRoles" schemaObjectType="azureADActiveRole" type="string">
    <Description>List of Entra ID Active Roles</Description>
  </AttributeDefinition>
  
  <AttributeDefinition name="spn_appDisplayName" type="string">
    <Description>The display name for the application</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_appDescription" type="string">
    <Description>This is a free-text field for providing the description of the application object to end users. The maximum size is 1024 characters.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_appId" type="string">
    <Description>This is the unique identifier for the application that is assigned to an application by Microsoft Entra ID.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_applicationTemplateId" type="string">
    <Description>This is the unique identifier of the application template.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_appOwnerOrganizationId" type="string">
    <Description>This contains the tenant ID where the application is registered.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_createdDateTime" type="string">
    <Description>This is the date and time the application was registered.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_homepage" type="string">
    <Description>This is the home page or landing page of the application.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_loginUrl" type="string">
    <Description>Displays the URL where the service provider redirects the user to Microsoft Entra ID to authenticate.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_logoutUrl" type="string">
    <Description>Displays the URL that will be used by Microsoft's authorization service to log out a user.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_servicePrincipalType" type="string">
    <Description>Identifies whether the service principal represents an application, managed identity, or legacy application.</Description>
  </AttributeDefinition>
  <AttributeDefinition name="spn_signInAudience" type="string">
    <Description>Displays the Microsoft accounts that are supported for the current application.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_passwordCredentials" type="string">
    <Description>The collection of password credentials associated with the application.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_keyCredentials" type="string">
    <Description>The collection of key credentials associated with the service principal.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_tags" type="string">
    <Description>The custom strings that can be used to categorize and identify the service principal.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_app_owners" type="string">
    <Description>Directory objects that are owners of the application.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_owners" type="string">
    <Description>Directory objects that are owners of this servicePrincipal.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_app_passwordCredentials" type="string">
    <Description>The collection of password credentials associated with the application.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_app_keyCredentials" type="string">
    <Description>The collection of password credentials associated with the application.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_appRoles" type="string">
    <Description>The roles exposed by the application that this service principal represents.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_adminConsentedPermissions" type="string">
    <Description>List of admin consented permissions assigned to service principal.</Description>
  </AttributeDefinition>
  <AttributeDefinition multi="true" name="spn_userConsentedPermissions" type="string">
    <Description>List of user consented permissions assigned to service principal.</Description>
  </AttributeDefinition>
</Schema>

Note

The Service Principal object will also display Application object properties. Attributes with app in the name are Application object properties and all others are Service Principal object properties.

For example,

  • spn_app_owners is for directory objects that are owners of the application.

  • spn_owners is for directory objects that are owners of this service principal.