Description
We are super excited to share that the “Lifecycle management of Service Principals as Accounts” feature of Microsoft Entra ID Connector is now generally available in the production tenants!
We are super excited to share that the “Lifecycle management of Service Principals as Accounts” feature of Microsoft Entra ID Connector is now generally available in the production tenants!
Last year, we released this capability of the connector everywhere in the sandbox tenants and we continued to enable this feature in the production tenants as per the request only as of now. These capabilities are now generally available in all the production environments so that you can get the maximum benefit of this feature for managing your Service Principals as accounts.
In Microsoft Entra, workload identities are applications, service principals, and managed identities. Microsoft Entra ID Connector simplifies the lifecycle management for Service Principals and User-assigned managed Identities.
What is the Problem?
There was no direct way for managing Service Principals for enterprise applications.
What is the Solution?
Microsoft Entra ID Connector has following capabilities,
- Aggregation
- Aggregate Service Principals for enterprise applications with all the associated attributes.
- Ability to get Service Principal Roles, Owners, Application ID details, and memberOf information.
- Aggregate application Roles as a separate entitlement object.
- Get or Refresh Account
- Create Service Principals for applications
- Create an application instance of enterprise application and then a Service Principal for that application
- Create a Service Principals for an existing enterprise application
- Create a Service Principals for a multi tenant enterprise application
- While creating the applications and Service Principals for enterprise applications – Ability to add owner, ability to set password and certificates for applications.
- Update Operation
- Basic attributes
- Non-basic attributes: Certificates and Secrets, Owners
- Entitlement attributes: directoryRoles, azureADPimRoles, azurePim, azureRBACRoles, applicationRoles
- Enable and Disable
- Add and Remove Entitlements
- Add and Remove Roles
- Add and Remove User’s Group Membership
- Add and Remove Application Role Memberships (
appRoleAssignments
) - Add and Remove PIM Role Memberships (
azureActiveRoles
andAzureADActiveRoles
) - Add and Remove RBAC Role Memberships (
azureRoleAssignments
) - Add and Remove Admin Consented Delegated Permissions (
spn_adminConsentedPermissions
) - Remove User Consented Delegated Permissions (
spn_userConsentedPermissions
)
Documentation References
- Service Principal Account Management
- Service Principal Account Attributes
- Account Profile for Service Principals
** If you are also interested to know the User-assigned Managed Identities, refer followings-
NOTE - This is an upcoming capabilities of Microsoft Entra (SaaS) Connector, which will be available soon.
If you have any questions, please reach out to us, and we would be more than happy to help you in all possible ways.
Thanks!