Azure:服务主体ID与应用程序ID [英] Azure: Service Principal ID vs Application ID

问题描述

根据本文档:应用程序和服务主体显然是两件事.应用程序是全局标识和服务主体 是根据租户/AAD

According to this documentation: Application and Service principal are clearly two different things. Application is the global identity and Service principal is per Tenant/AAD

但是本文档和此堆栈溢出问题建议它们相同.

为了使其更加混乱，当我使用Graph API(来自第一个参考文献)并按我的应用程序名称查询时:

To make it more confusing, When I used the Graph API (from the first reference) and queried by my application name:

https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'

我看到一个对象ID，一个应用程序ID(我认为是相同的)，但是在Json中没有服务主体ID

I see a object Id, an Application ID (which I thought were the same), but no service principal ID in the Json

AppID和ServicePrincipalID(以及ClientID，ObjectID)之间是什么关系? 谢谢.

What is the relationship between AppID and ServicePrincipalID (and ClientID, ObjectID) ? Thanks.

推荐答案

简短的回答:应用程序和服务主体绝对是两个不同的事物(以1:许多方式关联，但绝对是不同的对象).

Short answer: Application and Service principal are definitely two different things (related in 1:many fashion but definitely different objects).

使用Azure AD Graph API

查找应用程序.正如您已经提到的那样.

Finding Application. As you already mentioned in question.

https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>'

查找服务负责人

https://graph.windows.net/<tenantName>/servicePrincipals?api-version=1.6&$filter=displayName eq '<Apllication Name>'

在json中需要注意的小事情:

Small things to notice in json:

对于从上述查询中获得的应用程序对象和服务主体对象，
1. objectId和objectType将有所不同.
2. appId和displayName之类的属性是相同的，因为它们与相同的逻辑应用程序相关.

1. objectId and objectType will be different for the application object and service principal object that you get back from above mentioned queries.
2. Properties like appId and displayName are same since they are related to the same logical application.

您的问题-AppID和ServicePrincipalID(以及ClientID，ObjectID)之间是什么关系

首先，您问题中的链接

Firstly, the link in your question Application and service principal objects in Azure Active Directory, is a great resource to understand concepts. I won't do a better job than that documentation to explain concepts, so do read through it more than once if needed. I will try to highlight some information to answer your specific queries though.

您可以将您从上面的Azure AD Graph API检索到的应用程序对象(或在Azure门户> Azure Active Directory的应用程序注册"部分中查看)视为正在开发的软件应用程序的单一定义和主要定义向Azure AD注册以进行身份​​验证.注意:对于多租户应用程序，您只能在主"租户中找到该应用程序对象，该应用程序已在Azure AD中注册.

You can think of the application object that you retrieved from Azure AD Graph API above (or see in the App registrations section of Azure Portal > Azure Active Directory) as the single and main definition of the software application that you are developing and registering with Azure AD for identity purposes. NOTE: In case of multi-tenant applications you will find this application object only in the "home" tenant, where application was registered with Azure AD.

服务主体(您在Azure门户> Azure Active Directory的企业应用程序"部分下看到的内容)将在要使用此应用程序的每个Azure AD租户中创建.对于家庭"租户，在应用程序注册时创建服务主体，对于所有其他租户，在同意时创建服务主体.

Service Principal (what you see under Enterprise applications section of Azure Portal > Azure Active Directory) on the other hand is something that will get created in every Azure AD tenant that wants to use this application. For the "home" tenant Service principal is created at the time of app registration, for all other tenants service principal is created at the time of consent.

因此，将始终只有1个应用程序对象代表应用程序.在注册应用程序时，将至少创建一个服务主体.虽然，当您开始使用来自多个租户的多租户应用程序时，将为用户同意应用程序的每个新Azure AD租户创建1个服务主​​体.因此，应用程序与服务主体之间的关系变为1:many

So there will always be only 1 application object to represent application. There will be at least 1 service principal created at time of app registration. Although, as you start using a multi-tenant application from multiple tenants, 1 service principal will get created for every new Azure AD tenant where user gives consent for application. Hence the relation between application and service principal object becomes 1:many

• appId对于表示该应用程序的单个应用程序对象将是相同的，并且对于为此应用程序创建的所有服务主体也将相同.
• objectId将是应用程序对象和每个服务主体的唯一值.这可以唯一标识Azure AD中的对象.您将在所有Azure AD对象中找到该属性，甚至包括用户，组或任何其他具有Azure AD的对象.
• clientId将与appId相同.在上下文中这将是相关的，例如使用Azure AD支持的OAuth流程之一获取令牌(例如，在使用ADAL库编写代码或使用REST API达到Azure AD令牌端点时).对于应用程序或服务主体对象，您不会找到具有该确切名称的直接属性.

• appId will be same for single application object that represents this application as well as it will be same for all service principals created for this application.
• objectId will be a unique value for application object and each of the service principal. This uniquely identifies the object in Azure AD. It's a property that you will find with all Azure AD objects, like even a user, group or anything else with Azure AD.
• clientId will be same as appId. It will be relevant in context such as acquiring a token using one of the OAuth flows that Azure AD supports (say while writing code using ADAL libraries or using REST API to hit Azure AD token end points). It is not a direct property you will find with that exact name for an application or service principal object.

另一方面，使您感到困惑的其他两个链接更多是如何撰写文章以尝试完成工作"，而不是深入解释您要寻找的概念.我认为任何文档都不会明确指出应用程序和服务主体是同一件事(因为从技术上讲它们不是).尽管我可以理解它有时会引起混淆，但是当在与身份验证相关的任务的上下文中松散地引用应用程序时，当应用程序和服务主体可互换使用时.

On a side note, the other two links that confused you are more of How to articles trying to get the job done rather than deeply explaining the concepts you're looking for. I don't think any documentation will explicitly say that application and service principal are same thing (since they are technically not). Although I can understand how it can get confusing sometimes, when application and service principal are used interchangeably when loosely referring to application in context of authentication related tasks.

这是另一篇SO帖子在类似的主题上提供了很好的答案，而 Jean-Marc Prieur .它可能无法回答您所有的特定查询，但肯定符合概念.

Here is another SO post on similar topic with a good answer from Jean-Marc Prieur. It may not answer all your specific queries but certainly hits the concepts.

这篇关于Azure:服务主体ID与应用程序ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！