Service Principal as Accounts Attributes
To manage Service Principals, ensure that the following attributes are present in the account schema:
Note
The Service Principal object will also display Application object properties. Attributes with app in the name are Application object properties and all others are Service Principal object properties.
For example,
-
spn_app_owners is for directory objects that are owners of the application.
-
spn_owners is for directory objects that are owners of this service principal.
|
Schema Attribute Name |
Type |
Description |
|---|---|---|
|
objectId |
String |
The ID of the user, service principal, or managed identity. This is an Identity Attribute that must not be changed. |
|
accountEnabled |
Boolean |
This is set to true if the user, service principal, or managed identity is enabled. Otherwise, this is set to false. |
|
spn_appDisplayName |
String |
The display name for the application. |
|
spn_app_Description |
String |
This is a free-text field for providing the description of the application object to end users. The maximum size is 1024 characters. |
|
spn_appId |
String |
This is the unique identifier for the application that is assigned to an application by Azure Active Directory. |
|
spn_applicationTemplateId |
String |
This is the unique identifier of the application template. |
|
spn_appOwnerOrganizationId |
String |
This contains the tenant ID where the application is registered. |
|
spn_createdDateTime |
String |
This is the date and time the application was registered. |
|
spn_homepage |
String |
This is the home page or landing page of the application. |
|
spn_loginUrl |
String |
Displays the URL where the service provider redirects the user to Azure Active Directory to authenticate. |
|
spn_logoutUrl |
String |
Displays the URL that will be used by Microsoft's authorization service to log out a user. |
|
description |
String |
The description that is displayed in the address book for the user or service principal. |
|
displayName |
String |
The name displayed in the address book for the user or service principal. |
|
spn_servicePrincipalType |
String |
Identifies whether the service principal represents an application, managed identity, or legacy application. |
|
spn_signInAudience |
|
Displays the Microsoft accounts that are supported for the current application. |
|
spn_passwordCredentials |
String Multi |
The collection of password credentials associated with the application. |
|
spn_keyCredentials |
String Multi |
The collection of key credentials associated with the service principal. |
|
spn_tags |
String Multi |
The custom strings that can be used to categorize and identify the service principal. |
|
spn_app_owners Note Both Users and Applications (corresponding SPN) can be owners. For consistency, the following are shown:
|
String Mutli |
Directory objects that are owners of the application. |
|
spn_owner Note
|
String Multi |
Directory objects that are owners of this servicePrincipal. |
|
spn_app_passwordCredentials |
Multi |
The collection of password credentials associated with the application. |
|
spn_app_keyCredentials |
Multi |
The collection of password credentials associated with the application. |
|
spn_appRoles |
String Multi |
The roles exposed by the application that this service principal represents. |
|
appRoleAssignements |
applicationRole Multi Managed |
Lists the associated application roles for the Account. This is a multi-valued, entitlement, and managed attribute. |
|
groups |
group Multi Managed |
Lists the associated groups for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
|
roles |
roles Multi Managed |
Lists the associated Azure Directory Roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
|
azureActiveRoles |
azureActiveRole Multi Managed |
Lists the associated Azure active roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
|
azureADActiveRoles |
azureADActiveRole Multi Managed |
Lists the associated Azure Active Directory roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
|
azureRoleAssignements |
azureRoleAssignment Multi Managed |
Lists the associated RBAC roles for the user, service principal, or managed identity. This is a multi-valued, entitlement, and managed attribute. |
|
spn_adminConsentedPermissions |
adminConsentedPermission Multi Managed Entitlement |
Lists the associated Azure admin consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute. |
|
spn_userConsentedPermissions |
String Multi Managed Entitlement |
Lists the associated Azure user consented permissions for the service principal. This is a multi-valued, entitlement, and managed attribute. |