Microsoft Entra · Schema
ServicePrincipal
Represents an instance of an application in a tenant. The service principal is the local representation used for sign-in and access to resources. It inherits certain properties from the application object.
Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero Trust
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Unique identifier for the service principal (GUID) |
| appId | string | The unique identifier for the associated application (application's appId). Required on create. |
| displayName | string | The display name for the service principal |
| description | ['string', 'null'] | Description of the service principal's function |
| servicePrincipalType | string | Identifies whether the service principal represents an application, a managed identity, or a legacy app |
| appDisplayName | string | The display name exposed by the associated application |
| appOwnerOrganizationId | ['string', 'null'] | Contains the tenant ID where the application is registered |
| accountEnabled | boolean | true if the service principal account is enabled; false otherwise |
| homepage | ['string', 'null'] | Home page or landing page of the application |
| loginUrl | ['string', 'null'] | URL where the service provider redirects the user to Microsoft Entra ID to authenticate (SAML sign-on) |
| logoutUrl | ['string', 'null'] | URL used by Microsoft's authorization service to sign out a user |
| replyUrls | array | URLs where user tokens are sent for sign-in or redirect URIs for authorization codes and access tokens |
| servicePrincipalNames | array | Contains the list of identifierUris copied from the associated application plus the appId |
| tags | array | Custom strings used to categorize and identify the service principal. Values include WindowsAzureActiveDirectoryIntegratedApp. |
| appRoles | array | The roles exposed by the application that this service principal represents |
| oauth2PermissionScopes | array | The delegated permission scopes exposed by the application |
| appRoleAssignmentRequired | boolean | If true, users and other service principals must first be granted an app role assignment before they can sign in or obtain tokens |
| keyCredentials | array | Collection of certificate credentials |
| passwordCredentials | array | Collection of password credentials |
| createdDateTime | ['string', 'null'] | Date and time the service principal was created |