Infrastructure and securityIntermediate31 min read

What Is Service principal? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A service principal is like a dedicated identity card for a computer program or app. Instead of a person logging in with a username and password, the app uses this identity to get permission to access cloud resources like databases or storage. It makes automated tasks secure and manageable without needing a human to sign in every time.

Commonly Confused With

Service principalvsManaged identity

A managed identity is a special type of service principal that is automatically created and managed by Azure. It is tied to a specific Azure resource, like a virtual machine or an App Service. With a managed identity, you do not have to create or rotate client secrets or certificates. In contrast, a regular service principal requires you to manage the credentials yourself. Managed identities are the recommended approach when your application runs on an Azure resource.

If your web app runs on Azure App Service, use a system-assigned managed identity. If your app runs on a laptop on-premises, you must use a service principal with a client secret or certificate.

Service principalvsUser account

A user account is an identity for a human being. It has a username and password, can use multi-factor authentication, and is intended for interactive login. A service principal is for non-human entities like applications. User accounts can do everything a service principal can, but they are harder to secure for automation because they can do many unintended actions and are subject to human behavior like password sharing or phishing.

You use your user account to log into the Azure portal to check resources. You use a service principal for an automated script that shuts down VMs at midnight.

Service principalvsApplication object

The application object is the global representation of your application across all Azure AD tenants. It has properties like the redirect URI and permissions. The service principal is the local instance of that application in a specific tenant. When you register an application, you get one application object and one service principal in your tenant. If the same app is used in another tenant, a new service principal is created there, but the application object is shared.

Think of the application object as the blueprint of a house. The service principal is the actual house built in a specific neighborhood. Different neighborhoods (tenants) can have houses built from the same blueprint (application object).

Service principalvsService account

Service account is the generic term used across many platforms (including Windows Server, AWS, and Google Cloud) for a non-human identity. In Azure, the specific term is service principal. In AWS, it is an IAM role for EC2 or a service-linked role. In Google Cloud, it is a service account. All refer to the same concept: an identity for an automated workload. The key difference is the specific implementation and naming convention within each cloud provider.

If you see the term “service account” in an AWS exam, think “IAM role.” In an Azure exam, think “service principal.” They serve the same purpose.

Must Know for Exams

Service principals are a frequent topic in cloud certification exams, especially for Microsoft Azure, but also for AWS and Google Cloud. In the Microsoft Azure Fundamentals (AZ-900) exam, you will encounter service principals in the section on Azure Active Directory and identity management. While the exam focuses on foundational concepts, you are expected to understand that a service principal is an identity for an application, distinct from a user identity. You may see a question asking which type of identity should be used for an automated script. The correct answer is a service principal. In the Azure Administrator (AZ-104) exam, service principals are tested more deeply. You will need to know how to create a service principal using the Azure CLI, how to assign RBAC roles to it, and how to use it with Azure DevOps. You might be given a scenario where a CI/CD pipeline needs to deploy resources to an Azure subscription, and you must choose the appropriate authentication method: service principal with a client secret, service principal with a certificate, or a managed identity. The exam expects you to know the pros and cons of each. For example, using a client secret is simpler but less secure than a certificate or managed identity.

In the Azure Security (AZ-500) exam, service principals are central to many security controls. You will be tested on how to secure service principals, including best practices for secret rotation, using certificates instead of secrets, and monitoring sign-in logs for service principal activity. You may encounter questions about how to detect a compromised service principal, for instance by reviewing Azure AD sign-in logs for unusual locations or failed authentication attempts. The exam also covers workload identity federation, which is a newer feature that allows external identity providers like GitHub Actions to assume a service principal’s identity. This is a key differentiator between a traditional service principal and a federated identity credential. For AWS certifications, the equivalent concept is the IAM role for EC2 or Lambda. In the AWS Certified Solutions Architect exam, you will be asked how to securely grant an EC2 instance access to an S3 bucket. The correct answer is to create an IAM role with the necessary permissions and attach it to the EC2 instance. This is the AWS equivalent of a managed identity or service principal. You must understand that you should never store AWS access keys on the instance. For Google Cloud, the term is service account, and it appears in the Google Cloud Associate Engineer and Professional Cloud Architect exams. The concept is identical: a non-human identity with granular permissions.

Question types vary. You might see multiple-choice questions asking for the best method to authenticate an application to Azure SQL Database. Options could include a user account, a service principal with a client secret, a service principal with a certificate, or a managed identity. The exam expects you to know that a managed identity is the most secure and easiest option when the application runs on an Azure resource. Another question could present a scenario where a developer stored a client secret in source code, and you need to recommend a fix. The answer would be to remove the secret from code and store it in Azure Key Vault, then grant the service principal access to the vault. You may also see drag-and-drop questions where you must order the steps to configure a service principal: register an application, create a service principal, assign a role, and configure authentication. In case study or scenario-based questions, you might be asked to troubleshoot why an automated script failed. Possible causes include an expired client secret, a missing role assignment, or a service principal that was deleted. Understanding these real-world failure modes is crucial. Service principals are not a niche topic; they are a recurring theme across multiple cloud exams. Mastering this concept will help you answer questions accurately and demonstrate a solid understanding of cloud identity and security.

For the AZ-104 exam specifically, you should memorize the Azure CLI command to create a service principal: az ad sp create-for-rbac --name MyAppServicePrincipal --role Contributor --scopes /subscriptions/MySubscriptionId/resourceGroups/MyResourceGroup. This command creates a service principal with the Contributor role on a specific resource group. You should also understand that the output includes the client ID and client secret, which must be stored securely. In the exam, you may be asked to use this command to solve a scenario. For AWS, you need to know the AWS CLI equivalent: aws iam create-role and aws iam attach-role-policy. For Google Cloud, it’s gcloud iam service-accounts create and gcloud projects add-iam-policy-binding. The exam relevance of service principals cannot be overstated. They are a core component of the identity pillar in the Microsoft Azure Well-Architected Framework. By studying this concept thoroughly, you are not only preparing for the exam but also building a foundation for real-world cloud administration.

Simple Meaning

Imagine you work in a large office building. Every human employee has a badge that lets them enter certain rooms. Now imagine you have a cleaning robot that needs to go into the server room every night to vacuum. You cannot give the robot a human badge because it is not a person. So you create a special badge for the robot. That badge is not tied to any person, but it has exactly the permissions the robot needs to enter the server room at night and nothing else. If the robot tries to enter the CEO’s office, the badge will not allow it because you set those rules. In the cloud computing world, that robot is an application or an automated script, and its special badge is called a service principal. Service principals are created in a cloud provider like Microsoft Azure or Amazon Web Services (AWS). They are a type of security identity that is not a user. A user is a person who logs in with a password and maybe multi-factor authentication. A service principal represents a non-human entity, such as an application, an automation script, or a continuous integration pipeline. The service principal is assigned specific roles and permissions, just like the robot’s badge. Because it is not a person, it does not use a regular password. Instead, it authenticates using a client secret (like a long, strong password) or a certificate. This makes automated processes secure because the secret can be rotated, revoked, or updated without affecting human users. Service principals are essential for modern cloud architectures because they allow you to automate deployments, run background jobs, and integrate services without relying on a human account that might expire or get locked out. They also provide a clear audit trail because every action taken by the application is logged against that service principal identity, not a person who may have shared their password.

Because service principals are non-human, they have no login credentials that can be phished easily. They are a foundational piece of identity and access management (IAM) in the cloud. When you set up a connection between your code and a cloud database, you create a service principal with exactly the permissions your code needs. This follows the principle of least privilege, meaning you give only the minimum access required. If the code is compromised, the attacker only gets the limited permissions of that service principal, not the broad access of a human administrator. Service principals also enable workload identity federation, where external identities from GitHub or other providers can be trusted to act as a service principal temporarily. This is more secure than storing static keys in code repositories. Overall, a service principal is the cloud’s way of giving applications their own secure identity so that machines can talk to machines without human intervention.

Every major cloud platform has its own name for this concept. In Azure, it is exactly called a service principal, which is the identity of a registered application in Azure Active Directory (now Microsoft Entra ID). In AWS, the equivalent is an IAM role assumed by an EC2 instance or a Lambda function. In Google Cloud, it is a service account. The underlying idea is the same: a non-human identity with granular permissions. Understanding service principals is critical for any IT professional working with cloud services, CI/CD pipelines, or infrastructure automation. It is a concept that appears in Microsoft Azure exams (AZ-900, AZ-104, AZ-500), AWS certifications (AWS Certified Solutions Architect, AWS Developer), and Google Cloud certifications. In exams, you will be asked to distinguish between a user account and a service principal, understand how authentication works (client secret vs. certificate vs. managed identity), and know when to use a service principal versus a managed identity for Azure resources.

Full Technical Definition

A service principal is a security identity used by applications, services, and automation tools to access specific Azure resources. It is an integral part of Azure Active Directory (now Microsoft Entra ID) and is created during the registration of an application. When you register an application in Entra ID, two objects are created: the application object and the service principal object. The application object is the global representation of your application across all tenants. The service principal object is the local representation, or the instance of the application, in a specific Azure Active Directory tenant. This distinction is important because it allows the same application to have different permissions in different tenants. For example, a DevOps tool might have read access in a development tenant and write access in a production tenant, each managed by a separate service principal.

Service principals authenticate using one of three methods. The first is a client secret, which is a string generated by Azure that acts like a password. The application sends this secret along with its client ID (a unique identifier for the application) to the Azure AD token endpoint to request an access token. The second method is a certificate, which is considered more secure. The application uses a certificate installed locally to sign a token request. Azure validates the certificate’s public key against the one stored in the service principal. The third method is a managed identity, which is a special type of service principal that is automatically created and managed by Azure for Azure resources like virtual machines, App Services, or Azure Functions. Managed identities eliminate the need to store and rotate secrets because Azure handles the token acquisition process automatically. From an exam perspective, you need to know that managed identities are the preferred method when possible because they reduce administrative overhead and security risks.

Service principals are integral to the OAuth 2.0 authorization framework, specifically the client credentials grant flow. In this flow, the application (the client) authenticates itself, not a user. The application requests an access token from the Microsoft identity platform by presenting its credentials (client ID and secret or certificate). The platform validates the credentials and returns an access token containing claims about the service principal, such as its object ID, tenant ID, and assigned roles. The application then uses this token to call APIs like Microsoft Graph or Azure Resource Manager. The token has a limited lifetime, typically one hour, after which it must be refreshed. The service principal must have appropriate role assignments to perform actions. These role assignments are managed through Azure RBAC (Role-Based Access Control). For example, a service principal can be assigned the Contributor role on a specific resource group, allowing it to create and manage resources within that group but not in other groups. This granularity is a key benefit.

In practical IT implementation, service principals are used for everything from CI/CD pipelines to automated backups. For instance, when you use Azure DevOps to deploy infrastructure, the pipeline uses a service principal connection to authenticate to your Azure subscription. The service principal’s credentials are stored securely in Azure DevOps as a service connection. During deployment, the pipeline acquires a token and uses it to run ARM templates. Similarly, a web application that reads from Azure Key Vault uses a service principal (or managed identity) to authenticate. The application never stores the secret in code; it requests a token at runtime. Service principals also support federation with external identity providers like GitHub Actions or Kubernetes. In that case, the external workload exchanges its own token for an Azure access token, a pattern called workload identity federation. This removes the need to create long-lived secrets. Understanding the lifecycle of a service principal is also critical: you can revoke it, rotate its secrets, or delete it entirely. All actions are logged in Azure Activity Log and Microsoft Entra sign-in logs, providing a full audit trail. In exams, you will be tested on how to create a service principal using the Azure CLI (az ad sp create-for-rbac), how to assign roles, and how to configure authentication. You may also be asked to troubleshoot common issues such as expired secrets or incorrect role assignments.

Real-Life Example

Think of a large hotel. Human guests use their personal ID cards to open their room doors and access the gym or pool. Now, the hotel has an automatic luggage delivery robot that travels through the service elevators and hallways to bring suitcases to rooms. This robot cannot use a guest’s ID card because it is not a guest. So the hotel manager creates a special electronic passkey for the robot. This passkey is not tied to a person. It is programmed to only open the service elevator, the luggage storage room, and to beep at the front desk if it gets lost. The robot does not have a name or a birthday; it just has a digital identity. In the cloud world, the robot is an application, and the special passkey is the service principal. The hotel manager can change the passkey code every month without affecting human guests. If the robot is stolen, the manager can immediately deactivate the passkey, and the thief cannot use it. This is exactly how service principals work. The application holds a secret (the passkey) and uses it to prove its identity to the cloud platform. The platform then checks the permissions assigned to that service principal, just like the hotel’s access control system checks which doors the robot’s passkey can open. The robot never needs to ask a human to swipe a badge for it. It authenticates itself every time it needs to do its job.

Now, imagine that the robot needs to go into the room of a VIP guest who is not checked in yet. The hotel manager can temporarily add that room to the robot’s permissions by updating its role assignment. Once the guest checks in, the manager removes that permission. This is role-based access control in action. The robot’s passkey is not a person, so it does not get tired, forget its password, or share it on social media. But it does need to be securely stored. If the robot’s passkey is written on a sticky note attached to the robot, anyone could steal it and impersonate the robot. In the same way, an application’s client secret must be stored securely, such as in Azure Key Vault or as an environment variable in a CI/CD pipeline. The hotel also logs every time the robot opens a door, creating an audit trail. If a suitcase goes missing, the manager can check the log to see which elevator the robot used and at what time. This maps directly to the audit logs in Azure, where every API call made by a service principal is recorded. This real-life analogy helps solidify the concept: a service principal is simply a secure, non-human identity that performs automated tasks with limited, well-defined permissions.

Why This Term Matters

Service principals matter because they are the backbone of secure automation in any cloud environment. Without them, you would have to use a human user’s credentials for every automated task, which is a massive security risk. Human accounts have broad permissions, often including the ability to change passwords and access sensitive data. If those credentials are used in a script, and the script is stolen, an attacker gains the full power of that human user. Service principals eliminate this risk by providing a separate identity with exactly the permissions needed for the automation. This is the principle of least privilege applied to non-human workloads. Every IT professional working with cloud infrastructure, DevOps, or security must understand service principals because they are used in virtually every automated process. When you set up a Continuous Integration/Continuous Deployment (CI/CD) pipeline, you create a service principal. When you configure a web app to read from a database, you use a service principal. When you run a scheduled script to clean up old resources, you need a service principal. It is not an optional concept; it is a requirement for scalable, secure cloud operations.

From a governance perspective, service principals enable fine-grained auditing. Since every action is linked to a specific service principal identity, you can track exactly what an automated script did, even if it ran months ago. This is crucial for compliance with standards like SOC 2, ISO 27001, and HIPAA. If an audit finds that a database was accidentally deleted, you can review the logs to see which service principal deleted it and what permissions it had. This helps in root cause analysis and preventing future incidents. Service principals also support secret rotation and lifecycle management. You can set expiration dates on client secrets, forcing regular updates. If a secret is compromised, you can immediately revoke it without affecting other service principals or human users. This is much faster than changing a human user’s password, especially if that password was shared across multiple scripts.

In the context of modern identity and access management, service principals are a key part of workload identity. Workload identity is about proving the identity of a software workload (like a container or a serverless function) without using static credentials. Service principals, especially when combined with managed identities, allow workloads to authenticate to Azure services without any secrets stored in code. This reduces the attack surface dramatically. For example, a web application running in Azure App Service can use a managed identity to access Azure SQL Database. The application never stores a connection string with a password; it requests a token at runtime. If the App Service is compromised, the attacker still cannot extract persistent credentials because the token is short-lived and tied to the specific resource. This is why service principals and managed identities are a hot topic in cloud security exams. They represent a shift from static, long-lived credentials to dynamic, short-lived tokens. For any IT certification candidate, mastering service principals is not just about passing a test; it is about adopting a security mindset that will protect the systems you manage throughout your career.

How It Appears in Exam Questions

Service principal questions appear in cloud certification exams in several distinct patterns. The most common is the scenario-based question where you are given a description of an automated task and asked to choose the appropriate identity type. For example: “A company deploys a web application that runs on Azure App Service. The application needs to read data from Azure SQL Database. Which identity should be used to authenticate the application?” The options will include a user account, a service principal with a client secret, a service principal with a certificate, and a system-assigned managed identity. The correct answer is the system-assigned managed identity because it is the simplest and most secure for Azure resources. Another pattern is the troubleshooting question. For instance: “A DevOps pipeline that uses a service principal to deploy resources fails with an authorization error. The service principal was created six months ago. What is the most likely cause?” The answer is that the client secret may have expired, because by default secrets expire after two years or as set by policy. You might also see questions about multi-tenant applications. For example, “You are developing a SaaS application that needs to access resources in multiple customer Azure AD tenants. How should you configure authentication?” The answer involves using a multi-tenant application registration and creating a service principal in each tenant by having the customer admin consent. Questions can also focus on the difference between the application object and the service principal object. For example: “You register an application in Azure AD. Which object is created that represents the application in your specific tenant?” The answer is the service principal object, not the application object.

Another common question type is about authentication methods. You may be asked: “Which authentication method for a service principal is considered most secure?” The answer is certificate-based authentication or managed identity, because client secrets are harder to rotate and more easily compromised. The exam may also present a compliance scenario: “Your company requires that all secrets used by automation be rotated every 90 days. Which type of service principal authentication should you use?” The answer would be certificate-based authentication or a managed identity, since certificates can be set to expire every 90 days, or you can use managed identity to avoid secrets altogether. For AWS, a similar question would be: “An EC2 instance needs to upload files to an S3 bucket. What is the most secure way to grant permission?” Options: store AWS access keys on the instance, use an IAM role with an instance profile, or use a service principal. Correct answer: IAM role with an instance profile (which is the AWS equivalent of a managed identity). For Google Cloud: “A Cloud Function needs to read from a Cloud Storage bucket. How should it authenticate?” Correct answer: use a service account attached to the Cloud Function.

Configuration-style questions are also common. You might be given a command and asked what it does. For example: az ad sp create-for-rbac --name MyApp --role Reader --subscription MySub. The question: “What is the primary purpose of this command?” Answer: To create a service principal with Reader role access to the specified subscription. You could then be asked: “What output does this command provide?” The answer includes a client ID, a client secret (password), and a tenant ID. Another variation: “An administrator runs the command without specifying a role. What role is assigned by default?” The answer is Contributor at the subscription level, which is important to know because it grants broad permissions. Troubleshooting questions may ask: “A script fails with the error ‘Insufficient privileges to complete the operation.’ The script uses a service principal. What is the most likely fix?” The answer is to assign the necessary RBAC role to the service principal at the appropriate scope. You may also see questions about updating secrets: “You need to change the client secret for an existing service principal without downtime. What should you do?” The answer is to add a new secret while keeping the old one, then update all applications to use the new secret, then delete the old one. This pattern is typical in real-world administration and appears in exams. Understanding these question patterns will help you recognize the underlying concept quickly and select the correct answer. Focus on the purpose of each authentication method, the security implications, and the command syntax for creating and managing service principals. The more you practice with scenario-based questions, the more intuitive the correct choice becomes.

Finally, there are comparison questions that test your ability to differentiate between service principals and other identities. For example: “Which of the following is a difference between a service principal and a user account?” Options: A user account can be used for interactive login, while a service principal cannot. A service principal has an expiration date, while a user account does not. A service principal can have RBAC roles, while a user account cannot. The correct answer is that a user account can be used for interactive login, and a service principal is designed for non-interactive authentication. Another comparison: “What is the difference between a managed identity and a service principal?” Answer: A managed identity is automatically created and managed by Azure, with no need to manage credentials, whereas a service principal requires you to create and manage the credentials (client secret or certificate). Managed identities are tied to a specific Azure resource. Service principals are more flexible and can be used in external apps. These nuanced distinctions are exactly what examiners test. Being able to articulate these differences clearly in multiple-choice format is key to passing the exam.

Practise Service principal Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as a cloud administrator for a company called Contoso. The development team has created a Python script that runs every night at 2 AM. The script’s job is to check all virtual machines in the production subscription and automatically shut down any VMs that have been idle for more than 4 hours. The script runs on a dedicated virtual machine in the same subscription. Currently, the script uses a human user account that belongs to you. You have noticed that your account can do many other things, like deleting resources or creating new VMs, which the script does not need. You also worry that if the script is compromised, an attacker could use your credentials to do a lot of damage. Your manager asks you to make the automation more secure.

You decide to create a service principal for the script. First, you register an application in Microsoft Entra ID, calling it “Nightly-Shutdown-Script.” This creates a service principal of the same name in your tenant. You then generate a client secret for this service principal and store it securely in Azure Key Vault. The script is modified to read the secret from Key Vault at runtime, rather than having it hardcoded. Next, you assign the “Virtual Machine Contributor” role to the service principal, but only for the specific resource group that contains the VMs you want to shut down. You also assign the “Reader” role for the same resource group so the script can read the VM status. The service principal now has exactly the permissions it needs: it can read VM properties and stop VMs, but it cannot start VMs, delete them, or touch any other resource in the subscription.

The next night, the script runs using the service principal identity. It authenticates to Azure using the client ID and secret from Key Vault, obtains an access token, and calls the Azure REST API to get a list of idle VMs. It then calls the API to stop each idle VM. Everything works perfectly. A month later, you receive a security alert that the client secret may have been exposed in a log file. Because you used a service principal, you can immediately revoke the old secret and generate a new one. You update Key Vault with the new secret. The human user account that was originally used is no longer at risk. You can now track all the script’s actions in the Azure Activity Log under the service principal’s name, making auditing straightforward. This scenario shows why service principals are essential for secure automation: they limit permissions, remove dependency on human accounts, and simplify secret management. In a certification exam, you might be asked a similar scenario and need to choose between using a user account, a service principal, or a managed identity. The correct answer here could be a service principal, or if the script runs on an Azure VM, a system-assigned managed identity might be even better because it eliminates the need to manage secrets entirely. Understanding this nuance is precisely what exam questions test.

Common Mistakes

Using a service principal for interactive sign-in, like logging into the Azure portal.

Service principals are designed for non-interactive authentication by applications, not for human users. There is no way to use a service principal to sign in to the Azure portal with a browser. Trying to do so will fail, and the service principal’s credentials (client secret) should never be used that way.

Use a regular user account for human access. Use a service principal only for automated processes like scripts, applications, or CI/CD pipelines. If you need to automate portal-like tasks, use the REST API with a service principal, not the portal.

Assigning the “Owner” role to a service principal “just in case” it needs more permissions later.

The “Owner” role grants full access to manage all resources, including deleting them and assigning roles to others. This violates the principle of least privilege and greatly increases the blast radius if the service principal is compromised.

Only assign the minimum role needed for the service principal to perform its specific task. If the task changes, update the role assignment. Use “Contributor” or custom roles when possible. Never use “Owner” for a service principal.

Hardcoding the client secret in source code or configuration files that are stored in version control.

Hardcoding secrets makes them visible to anyone who can access the code repository. If the repository is public or compromised, the secret is exposed. This is a common security breach and is flagged in code scans.

Store the client secret in a secure location such as Azure Key Vault, environment variables in a protected CI/CD pipeline, or use a managed identity to avoid secrets entirely. Retrieve the secret at runtime only.

Creating multiple service principals for the same application instead of using one with multiple role assignments.

Each service principal adds administrative overhead and increases the attack surface. It also makes auditing harder because the same application’s actions are scattered across different identities.

Create one service principal per application and assign all necessary roles to that single identity. Use role assignments at different scopes (management group, subscription, resource group) rather than multiple service principals.

Assuming that a service principal can be created directly without first registering an application.

In Azure, the service principal is derived from an application registration. You must register the application first (or use a managed identity). Trying to create a service principal without an application object will fail. This distinction is tested in exams.

Always start by registering an application in Microsoft Entra ID. Then create the service principal automatically or via the CLI. For managed identities, Azure does this for you automatically, but the service principal still exists behind the scenes.

Forgetting to rotate the client secret regularly, leading to an expired secret that breaks automation.

Secrets have a default expiration date (often 2 years). If you do not rotate them, the application will eventually fail to authenticate. This is a common real-world outage.

Set a reminder to rotate secrets before they expire. Use a script to automate rotation and update the secret in your secure store. Alternatively, use a certificate or managed identity to avoid secret expiration issues.

Exam Trap — Don't Get Fooled

{"trap":"You are asked: “Which identity should you use for an application that runs on-premises and needs to access Azure resources?” The options include a system-assigned managed identity, a user-assigned managed identity, a service principal, and a user account. Learners often choose a managed identity because it sounds more modern and secure."

,"why_learners_choose_it":"Learners remember that managed identities are the best practice for Azure-resident workloads, so they assume it applies to on-premises as well. They overlook that managed identities are tied to Azure resources and cannot be used outside Azure.","how_to_avoid_it":"Understand that managed identities only work for Azure resources like VMs, App Services, or Azure Functions.

For on-premises applications, you must use a service principal with a client secret or certificate, because the application is not hosted on an Azure resource that can automatically get a token. Always consider the location of the workload when choosing between a managed identity and a service principal."

Step-by-Step Breakdown

1

Register an Application in Microsoft Entra ID

You start by creating an application registration in the Azure portal or using the Azure CLI. This step creates an application object that holds global configuration like the name, redirect URIs, and API permissions. This is the blueprint for the identity.

2

Create the Service Principal

When you register an application, a service principal object is automatically created in your tenant. This service principal is the actual identity that will be used for authentication. It has a unique object ID and a client ID that is the same as the application’s application ID.

3

Configure Authentication Credentials

You need to configure how the service principal will authenticate. You can create a client secret (a string password) or upload a certificate. This credential is what the application will present to Azure to prove its identity. The secret should be stored securely, for example in Azure Key Vault.

4

Assign RBAC Roles

The service principal by itself has no permissions to do anything. You must assign one or more Azure RBAC roles to it at the appropriate scope (management group, subscription, resource group, or resource). For example, assign the “Virtual Machine Contributor” role on a resource group so the service principal can manage VMs in that group only.

5

Configure the Application to Use the Service Principal

In your application code or script, you configure it to use the service principal’s client ID and client secret (or certificate) to request an access token from the Microsoft identity platform. The token is then used to call Azure APIs. The application never uses human credentials.

6

Test and Monitor

Run the application and verify that it can successfully authenticate and perform its tasks. Monitor the Azure AD sign-in logs for service principal sign-ins and Azure Activity Log for resource operations. Set up alerts for failed authentication attempts or unexpected role changes to detect potential security issues.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms