I was recently working through an activity where I need to run a PowerShell script with and Azure AD service principle. It can be somewhat confusing how all the pieces come together. When working in the portal it's not really transparent what's going on under the hood.

The Pieces

  • Resource owner - Needs to work with data.
  • Client - used to access data on behalf of the user.
  • Resource server - contains the data
  • Authentication Server - 3rd party that everyone trusts AzSvcPrinciple

All of this activity is assumed to cross untrusted network. AzSvcPrinciple2

Getting Started

The first 2 things we need are the client registration and the application registration on the authentication server.

Client Registration:
  • Unique object for the client.
  • Contains client ID.
    Application Registration:
  • Globally unique ID.
  • Service Principle: Instance of the Application object that users interact with. Tracks scopes and user consent.

Example authentication workflow.

AzSvcPrinciple4

View form the Azure portal.

The app developer starts by performing the app registration in their tenant. This makes the app available to assign in enterprise applications. We can think of enterprise applications as a list of your active service principles. AzSvcPrinciple5