At a glance
https://graph.microsoft.com/v1.0/serviceprincipals = queries enterprise applications and all of the properties https://graph.microsoft.com/v1.0/applications = queries app registrations
What are the differences?
When you query the two endpoint you will always get nearly the same properties back. But the main differences are the values!
For Example the property “passwordCredentials”:
When looking at the result of “/applications” you will find there the values of the application secrets and certificates.
In the results of “/serviceprincipal” this property reflect the SSO certificate
Or the property “tags”:
You will only get the values when calling the “/serviceprincipal” endpoint.
In the other one you will receive a empty value.
Only some key properties, which distinguish the two from each other, are different:
- API (App reg)
- redirect URIs (App reg)
- notificationEmailAddresses (Ent App)
- replyUrls (Ent Apps)
App Registration
= What you see under the App Registrations blade in Azure AD. It’s also called “application object”.
The application object acts like a template. the changes you made there are written to the application manifest file.
Possible changes are e.g.:
- Branding
- App Roles
- Client Secret
- API permissions
The application object describes three aspects of an application: how the service can issue tokens in order to access the application, resources that the application might need to access, and the actions that the application can take.
How to query:
https://graph.microsoft.com/v1.0/applications/{Object ID of app registration}
The endpoint “/applications” will give you the following results:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#applications/$entity",
"id": "123-123-132-123",
"deletedDateTime": null,
"addIns": [],
"appId": "12-123-135",
"applicationTemplateId": null,
"identifierUris": [
"https://xy.de"
],
"createdDateTime": "2020-04-07T14:59:45Z",
"description": null,
"displayName": "XY",
"isAuthorizationServiceEnabled": false,
"isDeviceOnlyAuthSupported": null,
"isFallbackPublicClient": false,
"isManagementRestricted": null,
"groupMembershipClaims": null,
"notes": null,
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"publisherDomain": "yourdomain.onmicrosoft.com",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null,
"uniqueName": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"defaultRedirectUri": null,
"api": {
"requestedAccessTokenVersion": null,
"acceptMappedClaims": null,
"knownClientApplications": [],
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allow the application to access XY on behalf of the signed-in user.",
"adminConsentDisplayName": "Access XY",
"id": "12-132-981-1658",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access XY on your behalf.",
"userConsentDisplayName": "Access XY",
"value": "user_impersonation"
}
],
"preAuthorizedApplications": [],
"resourceSpecificApplicationPermissions": []
},
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "123-168-1563",
"isEnabled": true,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "access",
"displayName": "access",
"id": "123866-168196819681-196819681",
"isEnabled": true,
"origin": "Application",
"value": null
}
],
"publicClient": {
"redirectUris": []
},
"info": {
"termsOfServiceUrl": null,
"supportUrl": null,
"privacyStatementUrl": null,
"marketingUrl": null,
"logoUrl": "https://xy.de"
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDateTime": "2022-03-26T10:46:32.147Z",
"keyId": "123136-681-51681-6681616-1351356",
"startDateTime": "2021-03-26T10:46:36.095Z",
"secretText": null,
"hint": "X-y",
"displayName": "test"
}
],
"requiredResourceAccess": [],
"web": {
"redirectUris": [
"https://xy.de"
],
"homePageUrl": "https://xy.de",
"logoutUrl": null,
"implicitGrantSettings": {
"enableIdTokenIssuance": true,
"enableAccessTokenIssuance": false
}
},
"spa": {
"redirectUris": []
}
}Serviceprincipals
= What you see under the Enterprise Applications blade in Azure AD.
When you create a application object (App registration) through Azure Portal, Graph API or AzureAD PowerShell Module Azure will create a corresponding service principal in the Enterprise Applications blade.
With this service principal you can do things like
- Assign permissions in the tenant
- Setup SSO connection to third party apps (SaaS, IaaS)
- Provision objects to other third party apps (SaaS, IaaS)
How to query:
https://graph.microsoft.com/v1.0/applications/{Object ID of Enterprise Application}
The endpoint “/serviceprincipals” will give you the following results:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals/$entity",
"id": "132-132-123-132",
"deletedDateTime": null,
"accountEnabled": true,
"alternativeNames": [],
"createdDateTime": "2020-04-07T14:59:45Z",
"deviceManagementAppType": null,
"appDescription": null,
"appDisplayName": "myApp",
"appId": "789-789-798",
"applicationTemplateId": null,
"appOwnerOrganizationId": "456-456-456",
"appRoleAssignmentRequired": true,
"description": null,
"displayName": "myApp",
"errorUrl": null,
"homepage": "https://xyz.de",
"isAuthorizationServiceEnabled": false,
"isManagementRestricted": null,
"loginUrl": null,
"logoutUrl": null,
"notes": null,
"notificationEmailAddresses": [
"contact@xyz.de"
],
"preferredSingleSignOnMode": "saml",
"preferredTokenSigningKeyEndDateTime": "2023-04-07T15:00:51Z",
"preferredTokenSigningKeyThumbprint": "1354648165168",
"publisherName": "company",
"replyUrls": [
"https://xyz.de"
],
"samlMetadataUrl": null,
"servicePrincipalNames": [
"https://xyz.de"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"tags": [
"HideApp",
"123-456-789-134",
"WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1",
"WindowsAzureActiveDirectoryCustomSingleSignOnApplication",
"WindowsAzureActiveDirectoryIntegratedApp"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
},
"addIns": [],
"api": {
"resourceSpecificApplicationPermissions": []
},
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "User",
"displayName": "User",
"id": "123-456-896-3216",
"isEnabled": true,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "access",
"displayName": "access",
"id": "123-456-789-123",
"isEnabled": true,
"origin": "Application",
"value": null
}
],
"info": {
"termsOfServiceUrl": null,
"supportUrl": null,
"privacyStatementUrl": null,
"marketingUrl": null,
"logoUrl": "https://xyz.de"
},
"keyCredentials": [
{
"customKeyIdentifier": "123rtzjkhnb56tu43t",
"endDateTime": "2023-04-07T15:00:51Z",
"keyId": "132-684-968161-132548",
"startDateTime": "2020-04-07T15:00:51Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"key": null,
"displayName": "CN=Microsoft Azure Federated SSO Certificate"
},
{
"customKeyIdentifier": "123rtzjkhnb56tu43t",
"endDateTime": "2023-04-07T15:00:51Z",
"keyId": "131568-68161681-1568168168-165168",
"startDateTime": "2020-04-07T15:00:51Z",
"type": "AsymmetricX509Cert",
"usage": "Sign",
"key": null,
"displayName": "CN=Microsoft Azure Federated SSO Certificate"
}
],
"publishedPermissionScopes": [
{
"adminConsentDescription": "Allow the application to access XY on behalf of the signed-in user.",
"adminConsentDisplayName": "Access XY",
"id": "123-135321-1316-",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access XY on your behalf.",
"userConsentDisplayName": "Access XY",
"value": "user_impersonation"
}
],
"passwordCredentials": [
{
"customKeyIdentifier": "123rtzjkhnb56tu43t",
"endDateTime": "2023-04-07T15:00:51Z",
"keyId": "1316-161616-35168681",
"startDateTime": "2020-04-07T15:00:51Z",
"secretText": null,
"hint": null,
"displayName": "CN=Microsoft Azure Federated SSO Certificate"
}
],
"resourceSpecificApplicationPermissions": [],
"samlSingleSignOnSettings": {
"relayState": ""
}
}
Very interesting and helpful .
Maybe you can update it with a example Szenario e.g with a third party SaaS app!?
Buchanan Ink