What is the difference between an app registration and a service principal?

An app registration is the global definition of an application in your Entra ID tenant — it specifies the application ID, redirect URIs, API permissions, and credentials. A service principal is the local instance of that app registration in a specific tenant. When you create an app registration, a service principal is automatically created in the home tenant. For multi-tenant apps, a service principal is created in each tenant that consents to the app. RBAC role assignments are made on the service principal, not the app registration.

Should I use client secrets or certificates?

Certificates are more secure because the private key never leaves the client, and authentication uses asymmetric cryptography. Client secrets are simpler to set up but are effectively passwords that can be leaked. For production workloads, use certificates or — better yet — managed identities (which eliminate credentials entirely). If you must use secrets, set short expiration periods (90 days or less) and automate rotation. Note that both secrets and certificates have a maximum lifetime, and you should monitor expiration dates to prevent authentication failures.

Service Principal Config Builder

IAM & SecurityAzure

Build service principal app registrations with roles and API permissions.

Entra ID App Registration Configuration

Build service principal app registration configs with roles, API permissions, and credentials.

Required Fields

displayNamesignInAudiencerequiredResourceAccess

{
  "displayName": "sp-contoso-cicd-prod",
  "appId": "00000000-0000-0000-0000-000000000000",
  "signInAudience": "AzureADMyOrg",
  "appRoles": [
    {
      "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "displayName": "Deployment Manager",
      "description": "Can deploy and manage application resources",
      "value": "Deployment.Manager",
      "allowedMemberTypes": ["Application"],
      "isEnabled": true
    }
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000003-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
          "type": "Scope",
          "description": "User.Read"
        },
        {
          "id": "df021288-bdef-4463-88db-98f22de89214",
          "type": "Role",
          "description": "User.Read.All"
        }
      ]
    }
  ],
  "keyCredentials": {
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "displayName": "CN=contoso-cicd-cert"
  },
  "passwordCredentials": {
    "displayName": "cicd-secret-2026",
    "endDateTime": "2027-03-14T00:00:00Z"
  },
  "tags": ["HideApp", "WindowsAzureActiveDirectoryIntegratedApp"]
}

Generated Output

Output will appear here...

About This Tool

Azure service principals are identity objects in Microsoft Entra ID that represent applications, services, and automation tools. Creating a service principal involves registering an application, configuring authentication credentials (certificates or secrets), defining API permissions (delegated or application-level), and assigning RBAC roles on Azure resources. The Service Principal Config Builder helps you configure app registrations with the correct redirect URIs, credential types, API permission grants, and role assignments for common automation and integration scenarios.

When to Use This Tool

•Creating service principals for Terraform or Pulumi with the minimum RBAC roles needed to manage infrastructure
•Configuring app registrations with certificate-based authentication for production services that need to call Microsoft Graph
•Setting up multi-tenant app registrations with the correct API permissions for SaaS applications

Frequently Asked Questions

What is the difference between an app registration and a service principal?: An app registration is the global definition of an application in your Entra ID tenant — it specifies the application ID, redirect URIs, API permissions, and credentials. A service principal is the local instance of that app registration in a specific tenant. When you create an app registration, a service principal is automatically created in the home tenant. For multi-tenant apps, a service principal is created in each tenant that consents to the app. RBAC role assignments are made on the service principal, not the app registration.
Should I use client secrets or certificates?: Certificates are more secure because the private key never leaves the client, and authentication uses asymmetric cryptography. Client secrets are simpler to set up but are effectively passwords that can be leaked. For production workloads, use certificates or — better yet — managed identities (which eliminate credentials entirely). If you must use secrets, set short expiration periods (90 days or less) and automate rotation. Note that both secrets and certificates have a maximum lifetime, and you should monitor expiration dates to prevent authentication failures.

Related Learning Guides

Azure AD & RBAC Guide26 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.