Microsoft Entra · Schema
ServicePrincipal
Represents an instance of an application in a tenant. The service principal is the local representation used for sign-in and access to resources. It inherits certain properties from the application object.
Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero Trust
Properties
| Name | Type | Description |
|---|---|---|
| id | string | Unique identifier for the service principal (GUID) |
| appId | string | The unique identifier for the associated application (application's appId). Required on create. |
| displayName | string | The display name for the service principal |
| description | ['string', 'null'] | Description of the service principal's function |
| servicePrincipalType | string | Identifies whether the service principal represents an application, a managed identity, or a legacy app |
| appDisplayName | string | The display name exposed by the associated application |
| appOwnerOrganizationId | ['string', 'null'] | Contains the tenant ID where the application is registered |
| accountEnabled | boolean | true if the service principal account is enabled; false otherwise |
| homepage | ['string', 'null'] | Home page or landing page of the application |
| loginUrl | ['string', 'null'] | URL where the service provider redirects the user to Microsoft Entra ID to authenticate (SAML sign-on) |
| logoutUrl | ['string', 'null'] | URL used by Microsoft's authorization service to sign out a user |
| replyUrls | array | URLs where user tokens are sent for sign-in or redirect URIs for authorization codes and access tokens |
| servicePrincipalNames | array | Contains the list of identifierUris copied from the associated application plus the appId |
| tags | array | Custom strings used to categorize and identify the service principal. Values include WindowsAzureActiveDirectoryIntegratedApp. |
| appRoles | array | The roles exposed by the application that this service principal represents |
| oauth2PermissionScopes | array | The delegated permission scopes exposed by the application |
| appRoleAssignmentRequired | boolean | If true, users and other service principals must first be granted an app role assignment before they can sign in or obtain tokens |
| keyCredentials | array | Collection of certificate credentials |
| passwordCredentials | array | Collection of password credentials |
| createdDateTime | ['string', 'null'] | Date and time the service principal was created |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ServicePrincipal",
"type": "object",
"description": "Represents an instance of an application in a tenant. The service principal is the local representation used for sign-in and access to resources. It inherits certain properties from the application object.",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the service principal (GUID)"
},
"appId": {
"type": "string",
"description": "The unique identifier for the associated application (application's appId). Required on create."
},
"displayName": {
"type": "string",
"description": "The display name for the service principal"
},
"description": {
"type": "['string', 'null']",
"description": "Description of the service principal's function"
},
"servicePrincipalType": {
"type": "string",
"description": "Identifies whether the service principal represents an application, a managed identity, or a legacy app"
},
"appDisplayName": {
"type": "string",
"description": "The display name exposed by the associated application"
},
"appOwnerOrganizationId": {
"type": "['string', 'null']",
"description": "Contains the tenant ID where the application is registered"
},
"accountEnabled": {
"type": "boolean",
"description": "true if the service principal account is enabled; false otherwise"
},
"homepage": {
"type": "['string', 'null']",
"description": "Home page or landing page of the application"
},
"loginUrl": {
"type": "['string', 'null']",
"description": "URL where the service provider redirects the user to Microsoft Entra ID to authenticate (SAML sign-on)"
},
"logoutUrl": {
"type": "['string', 'null']",
"description": "URL used by Microsoft's authorization service to sign out a user"
},
"replyUrls": {
"type": "array",
"description": "URLs where user tokens are sent for sign-in or redirect URIs for authorization codes and access tokens"
},
"servicePrincipalNames": {
"type": "array",
"description": "Contains the list of identifierUris copied from the associated application plus the appId"
},
"tags": {
"type": "array",
"description": "Custom strings used to categorize and identify the service principal. Values include WindowsAzureActiveDirectoryIntegratedApp."
},
"appRoles": {
"type": "array",
"description": "The roles exposed by the application that this service principal represents"
},
"oauth2PermissionScopes": {
"type": "array",
"description": "The delegated permission scopes exposed by the application"
},
"appRoleAssignmentRequired": {
"type": "boolean",
"description": "If true, users and other service principals must first be granted an app role assignment before they can sign in or obtain tokens"
},
"keyCredentials": {
"type": "array",
"description": "Collection of certificate credentials"
},
"passwordCredentials": {
"type": "array",
"description": "Collection of password credentials"
},
"createdDateTime": {
"type": "['string', 'null']",
"description": "Date and time the service principal was created"
}
}
}