Service Principal Management as an Entitlement

Azure Service Principal is a security identity used by user-created applications, services, and automation tools to access specific Azure resources. Service Principal is a user identity (login and password or certificate) with a specific role, and controlled permissions to access your resources.

To improve security, only grant the minimum permission level to perform management tasks.

Note
The Azure Active Directory connector has the capability to manage Service Principals as Account, which is the recommended approach. For more information, refer to Service Principal Account Management. When creating new instances of the Azure Active Directory connector, the configuration will not have the group schema for the Service Principal object (i.e., the servicePrincipal object type schema). The associated entitlement attribute entry from the account schema has also been removed (i.e., the servicePrincipals account schema attribute). Backward compatibility is maintained with this feature. If you want to utilize the feature with new connectors, make the schema changes in accordance with the information in the Service Principal topic.

The following operations are supported for the ServicePrincipal object type:

• Aggregation

• View details of ServicePrincipal (like object properties, members and so on)

• Provision and Revoke access request for ServicePrincipal

Enabling Feature on Existing Connectors

1. Modify the existing account schema and add the Service Principal related attributes as mention in the Service Principal as Accounts Attributes topic.

2. Remove the existing group schema for the "Service Principal" object.

3. Add a new group schema "Application Role" object as mentioned in the Application Role Attributes topic.

4. After making the schema changes, perform account and group aggregation.

5. Modify the existing Create Account Policy to include the Service Principal attributes as mentioned in the Account Profile for Service Principal topic.