Service Principal Management as an Entitlement

Entra Service Principals are a security identity used by user-created applications, services, and automation tools to access specific Entra resources. A Service Principal is a user identity (login and password or certificate) with a specific role, and controlled permissions to access your resources.

To improve security, only grant the minimum permission level to perform management tasks.

Note
The Microsoft Entra ID connector has the capability to manage Service Principals as Account, which is the recommended approach. For more information, refer to Service Principal Accounts Management. When creating new instances of the Microsoft Entra ID connector, the configuration will not have the group schema for the Service Principal object (i.e., the servicePrincipal object type schema). The associated entitlement attribute entry from the account schema has also been removed (i.e., the servicePrincipals account schema attribute). Backward compatibility is maintained with this feature. If you want to utilize the feature with new connectors, make the schema changes in accordance with the information in the Service Principal topic.

The following operations are supported for the ServicePrincipal object type:

• Aggregation

• View details of ServicePrincipal (like object properties, members and so on)

• Provision and Revoke access request for ServicePrincipal

Enabling Feature on Existing Connectors

1. Modify the existing account schema and add the Service Principal related attributes as mention in the Service Principal as Accounts Attributes topic.

2. Remove the existing group schema for the "Service Principal" object.

3. Add a new group schema "Application Role" object as mentioned in the Application Role Attributes topic.

4. After making the schema changes, perform account and group aggregation.

5. Modify the existing Create Account Policy to include the Service Principal attributes as mentioned in the Account Profile for Service Principal topic.