L9. App Registrations: Service Principals and Permissions
Video generating
Check back soon for the video lesson on App Registrations: Service Principals and Permissions
Understand the relationship between app registrations and service principals for the SC-300: configure application and delegated permissions, manage API permissions, implement the consent framework, and secure app credentials with certificates and secrets.
App Registrations vs Service Principals
This distinction is one of the most tested concepts on the SC-300. Understanding it clearly is essential. App registration: A global definition of your application. It exists in your home tenant and defines the application's identity, permissions, and configuration. Think of it as the blueprint. Service principal: A local instance of the application in a specific tenant. When a user or admin consents to an app, a service principal is created in their tenant. Think of it as the copy that actually runs in that tenant.
| Concept | Scope | Purpose |
|---|---|---|
| App registration | Home tenant (global) | Defines the app identity and configuration |
| Service principal | Each tenant where app is used | Local representation that receives permissions |
| Managed identity | Azure resource | Automatic service principal for Azure services |
Permission Types
Delegated Permissions
The app acts on behalf of a signed-in user. The effective permissions are the intersection of the app's permissions and the user's permissions. A user cannot grant more access than they themselves have.Application Permissions
The app acts as itself (no user context). These are used by background services, daemons, and automation. Application permissions are always granted by an admin and apply to all users/resources in the tenant. Exam tip: If a question describes a daemon or background service that needs to read all users' mailboxes, it needs application permissions (not delegated). Delegated permissions require a signed-in user context.Consent Framework
User Consent
Regular users can consent to delegated permissions that are classified as "low risk." The admin controls what users can consent to via:- Entra admin center > Enterprise applications > Consent and permissions > User consent settings
Admin Consent
Required for:- All application permissions
- Delegated permissions classified as high-privilege
- Any permission when user consent is disabled
Admin consent can be granted per-app or tenant-wide. Tenant-wide admin consent applies to all users.
Admin Consent Workflow
When user consent is restricted, you can enable the admin consent workflow. Users request access, and designated reviewers (admins) approve or deny the request.Credentials: Secrets vs Certificates
Apps authenticate to Entra ID using credentials:
- Client secrets: Shared passwords with configurable expiration (max 2 years recommended). Less secure.
- Certificates: X.509 certificates uploaded to the app registration. More secure and recommended for production. The app proves identity by signing a JWT with the certificate private key.
API Permissions Best Practice
Follow least privilege:
- Identify the minimum permissions your app needs
- Prefer delegated over application permissions when a user context exists
- Use
.defaultscope for client credential flows - Review and remove unused permissions regularly
Navigate to: Entra admin center > App registrations > [App] > API permissions
- ✓App registration is the blueprint (home tenant); service principal is the local instance in each tenant where the app is used
- ✓Delegated permissions act on behalf of a user; application permissions act as the app itself with no user context
- ✓All application permissions require admin consent; delegated permissions may allow user consent for low-risk scopes
- ✓Certificates are more secure than client secrets and are recommended for production applications
- ✓An app registration has a one-to-many relationship with service principals across tenants
1. A background daemon needs to read all users mailboxes without any user signing in. What permission type is required?
2. What is the relationship between an app registration and a service principal?
3. Which credential type does Microsoft recommend for production applications authenticating to Entra ID?