In this article, I'll go over a few key concepts related to Azure Identity objects like Azure AD Identity and Service
Principal.
Azure AD Identity
Azure AD is a secure Identity Object store where you can create various Identity Object types.
Users and Groups are the most common, but you can also have Applications, also known as Enterprise Apps,
in there.
An example for each could be:
Users: To begin using Office 365, you create a user object in Azure AD and then allow the user to authenticate to the Azure
Portal.
Groups: In Azure AD, you create a security group that can be used to specify permissions for SharePoint sites, for example.
Enterprise Apps:Allowing a cloud-based application to trust your Azure AD for user authentication via OpenIDConnect and OAuth; the trusting app is known
as an enterprise app object in Azure AD.
Service Principal
When an organisation uses Azure Active Directory, a service principal is "...An application whose tokens can be used
to authenticate and grant access to specific Azure resources from a user-app, service, or automation tool..."
In essence, using a Service Principal prevents you from creating "fake users" in Azure AD to manage authentication when
accessing Azure Resources.
Service Principals' access can be restricted by assigning Azure RBAC roles that allow them to only access a
subset of resources.
This RBAC rule has one major exception: Azure Key Vault, which can be extended by using Key Vault Access Policies
to define permissions instead of Azure RBAC roles.
Typical use cases for a Service Principal include Terraform IAC (Infrastructure as Code) deployments, Azure DevOps
(where you define a Service Connection from DevOps Pipelines to Azure), and any other 3rd party application that requires an
authentication token to connect to Azure resources.
An Azure Service Principal can be created in "any" traditional way, such as through the Azure Portal, Azure PowerShell,
the Rest API, or the Azure CLI.
Let me show you the Azure CLI command syntax to accomplish this:
az ad sp create-for-rbac --name "demosp"