Create Policy for Service Principal
Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
The following lists the create service principal profile attributes:
Note
Attributes with app in the name are Application object properties and all others are Service Principal object properties.
For example,
-
spn_app_owners is for directory objects that are owners of the application.
-
spn_owners is for directory objects that are owners of this service principal.
|
Attribute Name |
Description |
|---|---|
|
spn_appDisplayName |
The display name for the application. |
|
spn_homepage |
This is the home page or landing page of the application. |
|
spn_loginUrl |
Displays the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. |
|
spn_logoutUrl |
Displays the URL that will be used by Microsoft's authorization service to log out a user. |
|
description |
The description that is displayed in the address book for the user or service principal. |
|
spn_appRoles |
The roles exposed by the application that this service principal represents. |
|
spn_app_keyCredentials |
The collection of password credentials associated with the application. |
|
spn_tags |
The custom strings that can be used to categorize and identify the service principal. |
|
spn_passwordCredentials |
The collection of password credentials associated with the application. |
|
spn_app_owners |
Directory objects that are owners of the application. |
|
spn_owners |
Directory objects that are owners of this servicePrincipal. |
|
spn_app_passwordCredentials |
The collection of password credentials associated with the application. |
|
spn_appTemplateName |
The name of the template that is used to create the application and service principal. |
|
spn_appTemplateId |
The ID of the template that is used to create the application and service principal. |
|
spn_appId |
The app ID of the multi-tenant application for which the service principal needs to be created. |
Note
-
When a create Service Principal request is executed, the connector creates the application object first and then the corresponding service principal object is created.
-
To create the applications from gallery templates, either spn_appTemplateName or spn_appTemplateId needs to be provided in the create request along with spn_appDisplayName. For more information, refer to sample request example 3 and example 4.
-
To create the service principal for a multi-tenant application, spn_appId needs to provided in the create request, For more information, refer to sample request example 5.
Sample Create Service Principal Requests
Note
For more information on the key credentials and password credentials, refer to Update Policy for Service Principals.
Example 1
The following create request will create an Application object with the displayName as APAC Sales and its corresponding Service Principal object will also be created:
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="spn_appDisplayName" op="Add" value="APAC Sales"/>
</AccountRequest>
</ProvisioningPlan>Example 2
The following create request will create an Application object with the displayName as APAC Production and its corresponding Service Principal object will also be requested, as well as adding group and appRole membership:
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="spn_appDisplayName" op="Add" value="APAC Production"/>
<AttributeRequest name="appRoleAssignments" op="Add" value="6f749413-fc45-4a47-a69b-0e100e0fbda1:00000000-0000-0000-0000-000000000000"/>
<AttributeRequest name="groups" op="Add" value="2402e965-2000-4545-b371-0db81b6db745"/>
</AccountRequest>
</ProvisioningPlan>Example 3
The following create request will create an Application object with the displayName as Adobe Identity Management-App and its corresponding Service Principal object making use of the template named Adobe Identity Management (SAML).
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="spn_appTemplateName" op="Add" value="Adobe Identity Management (SAML)" />
<AttributeRequest name="spn_appDisplayName" op="Add" value="Adobe Identity Management-App"/>
<AttributeRequest name="appRoleAssignments" op="Add" value="6f749413-fc45-4a47-a69b-0e100e0fbda1:00000000-0000-0000-0000-000000000000"/>
<AttributeRequest name="groups" op="Add" value="2402e965-2000-4545-b371-0db81b6db745"/>
</AccountRequest>
</ProvisioningPlan>Example 4
The following create request will create an Application object with the displayName as Adobe Identity Management-App and its corresponding Service Principal object making use of the template whose ID is 7ae7dbe9-8351-44c6-a0f0-e4642aa58b19 (The template ID can be retrieved using MS Graph api endpoints).
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="spn_appTemplateId" op="Add" value="7ae7dbe9-8351-44c6-a0f0-e4642aa58b19" />
<AttributeRequest name="spn_appDisplayName" op="Add" value="Adobe Identity Management-App"/>
<AttributeRequest name="appRoleAssignments" op="Add" value="6f749413-fc45-4a47-a69b-0e100e0fbda1:00000000-0000-0000-0000-000000000000"/>
<AttributeRequest name="groups" op="Add" value="2402e965-2000-4545-b371-0db81b6db745"/>
</AccountRequest>
</ProvisioningPlan>Example 5
The following create request will create service principal object corresponding to already existing application object who’s appId is 9c41360b-3dcb-4a9e-9bf4-095151f835b1.
<ProvisioningPlan>
<AccountRequest op="Create">
<AttributeRequest name="spn_appId" value="9c41360b-3dcb-4a9e-9bf4-095151f835b1" />
<AttributeRequest name="appRoleAssignments" op="Add" value="6f749413-fc45-4a47-a69b-0e100e0fbda1:00000000-0000-0000-0000-000000000000"/>
<AttributeRequest name="groups" op="Add" value="2402e965-2000-4545-b371-0db81b6db745"/>
</AccountRequest>
</ProvisioningPlan>For information on additional configuration attributes, refer to Additional Configuration Parameters.