An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. In simple terms service principal is an application, whose tokens can be used by other azure resources to authenticate and grant access to azure resources.
You can create a service principal by creating an app registration (Application) in Azure AD. Once created you can provide RBAC rights on resources / on a higher level for this application in the subscription.
Azure resources that need to authenticate to access the protected resources can use the identity of this application (service principal) to generate a secure access token.
In simple terms service principal is like an application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service or automation tool, when an organisation is using Azure Active Directory.
Managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed.
The main advantage of using a managed identity is that you don’t need to specify any credentials in your code compared to service principals where you need to specify application id, tenant id etc.
In effect, a managed identity is a layer on top of a service principal, removing the need for you to manually create and manage service principals directly.
Conclusion:
Managed identities only has a limited subset of Azure services support using them as an authentication mechanism. Its recommended to use managed identity instead of service principals. You should opt for service principal only if the service you use doesn’t support managed identity.
References:
Comments