Enterprise Application / Service Principal
When we create/register a new application with a secret, redirect uri ETC. It's called a "application" but when a user consents to this application, a new "enterprise application" is created automatically with the same name as the application. This is called a service principal.
A service principal is the part can can be used, role assignment, permissions, etc.
Also, conditional access can be implemented on enterprise applications/service principals. Since you will need a extra subscription to protect these workload identities, it is very likely that MFA is enforced on these. This is why we are interested in obtaining access to a enterprise application.
Authenticating with a App secret
When we know a app's secret from the application registration, we can authenticate as the SPN using:
$password = ConvertTo-SecureString 'APP-SECRET' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('APP-ID', $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant TENANT-ID
Last updated