Service Principal as Accounts Attributes
Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
To manage Service Principals, following lists the attributes that are present in the account schema:
Schema Attribute Name |
Type |
Description |
---|---|---|
objectId |
String |
The ID of the user, service principal, or managed identity. This is an Identity Attribute that must not be changed. |
accountEnabled |
Boolean |
This is set to true if the user, service principal, or managed identity is enabled. Otherwise, this is set to false. |
spn_appDisplayName |
String |
The display name for the application. |
spn_app_Description |
String |
This is a free-text field for providing the description of the application object to end users. The maximum size is 1024 characters. |
spn_appId |
String |
This is the unique identifier for the application that is assigned to an application by Microsoft Entra ID. |
spn_applicationTemplateId |
String |
This is the unique identifier of the application template. |
spn_appOwnerOrganizationId |
String |
This contains the tenant ID where the application is registered. |
spn_createdDateTime |
String |
This is the date and time the application was registered. |
spn_homepage |
String |
This is the home page or landing page of the application. |
spn_loginUrl |
String |
Displays the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. |
spn_logoutUrl |
String |
Displays the URL that will be used by Microsoft's authorization service to log out a user. |
description |
String |
The description that is displayed in the address book for the user or service principal. |
displayName |
String |
The name displayed in the address book for the user or service principal. |
spn_servicePrincipalType |
String |
Identifies whether the service principal represents an application, managed identity, or legacy application. |
spn_signInAudience |
|
Displays the Microsoft accounts that are supported for the current application. |
spn_passwordCredentials |
String Multi |
The collection of password credentials associated with the application. |
spn_keyCredentials |
String Multi |
The collection of key credentials associated with the service principal. |
spn_tags |
String Multi |
The custom strings that can be used to categorize and identify the service principal. |
spn_app_owners Note Both Users and Applications (corresponding SPN) can be owners. For consistency, the following are shown:
|
String Mutli |
Directory objects that are owners of the application. |
spn_owner Note
|
String Multi |
Directory objects that are owners of this servicePrincipal. |
spn_app_passwordCredentials |
Multi |
The collection of password credentials associated with the application. |
spn_app_keyCredentials |
Multi |
The collection of key credentials associated with the service principal. |
spn_appRoles |
String Multi |
The roles exposed by the application that this service principal represents. |
appRoleAssignments |
applicationRole Multi Managed |
Lists the associated application roles for the Account. This is a multi-valued, entitlement, and managed attribute. |
groups |
group Multi Managed |
Lists the associated groups for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
roles |
roles Multi Managed |
Lists the associated Microsoft Entra ID Roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
azureActiveRoles |
azureActiveRole Multi Managed |
Lists the associated Azure active roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
azureADActiveRoles |
azureADActiveRole Multi Managed |
Lists the associated Microsoft Entra ID roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
azureRoleAssignements |
azureRoleAssignment Multi Managed |
Lists the associated RBAC roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
spn_adminConsentedPermissions |
adminConsentedPermission Multi Managed Entitlement |
Lists the associated Azure admin consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute. |
spn_userConsentedPermissions |
String Multi Managed Entitlement |
Lists the associated Azure user consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute. |
Sample schema XML for managing service principals as accounts:
<Schema created="" displayAttribute="displayName" id="" identityAttribute="objectId" instanceAttribute="" modified="" nativeObjectType="account" objectType="account" significantModified="">
<AttributeDefinition name="accountEnabled" type="boolean">
<Description>True if the account is enabled; otherwise, false</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="azureRoleAssignments" schemaObjectType="azureRoleAssignment" type="string">
<Description>Azure Role Assignments assigned to user</Description>
</AttributeDefinition>
<AttributeDefinition name="displayName" type="string">
<Description>The name displayed in the address book for the user</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="groups" schemaObjectType="group" type="string">
<Description>Groups assigned to a user</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="appRoleAssignments" schemaObjectType="applicationRole" type="string">
<Description>Application roles assigned to a user</Description>
</AttributeDefinition>
<AttributeDefinition name="objectId" type="string">
<Description>The unique identifier for the user</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="roles" schemaObjectType="role" type="string">
<Description>Administrator Role assigned to user</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="azureActiveRoles" schemaObjectType="azureActiveRole" type="string">
<Description>List of Azure Active Roles</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="azureADActiveRoles" schemaObjectType="azureADActiveRole" type="string">
<Description>List of Entra ID Active Roles</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_appDisplayName" type="string">
<Description>The display name for the application</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_appDescription" type="string">
<Description>This is a free-text field for providing the description of the application object to end users. The maximum size is 1024 characters.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_appId" type="string">
<Description>This is the unique identifier for the application that is assigned to an application by Microsoft Entra ID.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_applicationTemplateId" type="string">
<Description>This is the unique identifier of the application template.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_appOwnerOrganizationId" type="string">
<Description>This contains the tenant ID where the application is registered.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_createdDateTime" type="string">
<Description>This is the date and time the application was registered.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_homepage" type="string">
<Description>This is the home page or landing page of the application.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_loginUrl" type="string">
<Description>Displays the URL where the service provider redirects the user to Microsoft Entra ID to authenticate.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_logoutUrl" type="string">
<Description>Displays the URL that will be used by Microsoft's authorization service to log out a user.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_servicePrincipalType" type="string">
<Description>Identifies whether the service principal represents an application, managed identity, or legacy application.</Description>
</AttributeDefinition>
<AttributeDefinition name="spn_signInAudience" type="string">
<Description>Displays the Microsoft accounts that are supported for the current application.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_passwordCredentials" type="string">
<Description>The collection of password credentials associated with the application.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_keyCredentials" type="string">
<Description>The collection of key credentials associated with the service principal.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_tags" type="string">
<Description>The custom strings that can be used to categorize and identify the service principal.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_app_owners" type="string">
<Description>Directory objects that are owners of the application.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_owners" type="string">
<Description>Directory objects that are owners of this servicePrincipal.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_app_passwordCredentials" type="string">
<Description>The collection of password credentials associated with the application.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_app_keyCredentials" type="string">
<Description>The collection of password credentials associated with the application.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_appRoles" type="string">
<Description>The roles exposed by the application that this service principal represents.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_adminConsentedPermissions" type="string">
<Description>List of admin consented permissions assigned to service principal.</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="spn_userConsentedPermissions" type="string">
<Description>List of user consented permissions assigned to service principal.</Description>
</AttributeDefinition>
</Schema>
Note
The Service Principal object will also display Application object properties. Attributes with app in the name are Application object properties and all others are Service Principal object properties.
For example,
-
spn_app_owners is for directory objects that are owners of the application.
-
spn_owners is for directory objects that are owners of this service principal.