A service account is a special type of user account within the operating system that an application or service uses to interact with the operating system. These accounts are not linked to a particular user, but it allows services and tasks to run with their own specific set of permissions.
For example, if you wish to create a service account in Office 365, you can do so as follows:
- Open the Office 365 admin center and go to “Users” > “Active users”.
- Click on “+ Add a user”.
- Fill in the required information (remember to assign a strong password).
- Set the appropriate roles and permissions.
- Complete the process by clicking on “Add”.
Remember, the main reason to create service accounts is to provide an identity for a service running on a server. The permissions granted to a service account govern the actions the service can take and which resources the service can access.
Service Principals
On the other hand, a service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. It gives the application the ability to log in and the permissions it needs to access resources.
To create a service principal using Azure CLI, you can follow the steps below:
- Sign in through Azure CLI using az login.
- Create the service principal with az ad sp create-for-rbac.
The output of the latter command includes the appID, password, name, and tenant. Please note that the name and password correspond to the clientID and clientSecret, which will be used when configuring the application.
It’s important to understand that while both service accounts and service principals are used to manage and delegate permissions, they serve different purposes and are used in different environments.
| Service Account | Service Principal | |
|---|---|---|
| Use | Operating System | Azure Resources |
| Where | On a Server | With Applications |
| Who | Application / Service | Application / Hosted Service / Automated Tools |
By understanding how service accounts and service principals function, you can more effectively manage permissions and access within your application environment. This knowledge will prove particularly useful in preparing for the PL-500 Microsoft Power Automate RPA Developer exam. Ensure to put in enough practice and study further on these aspects to comprehend better how they operate and their application within the Microsoft environment.
Practice Test
True or False: Service accounts in Power Automate are intended for individual use to access the service?
- True
- False
Answer: False
Explanation: Service accounts in Power Automate are not intended for individual users. Instead, they are intended for service applications to use to interact with other services.
Which of the following is NOT a task performed by a service principal?
- A) Acting as the security identity for an application
- B) Using its identity to request access tokens for accessing APIs
- C) Managing individual user access to Power Automate
- D) Giving an application access to resources in Microsoft Power Automate
Answer: C) Managing individual user access to Power Automate
Explanation: A service principal is the security identity that is associated with applications and allows them to access resources in Microsoft Power Automate. It does not handle the access rights for individual users.
True or False: A service account requires a username and password to authenticate?
- True
- False
Answer: True
Explanation: The service accounts usually require a username and password—both for authentication and to be used in applications.
Which of the following is a best practice when creating a service account?
- A) Using easy-to-remember passwords
- B) Using the same service account across multiple applications
- C) Always including a recovery phone number
- D) Limiting permissions to only what is necessary for the account’s tasks
Answer: D) Limiting permissions to only what is necessary for the account’s tasks
Explanation: It’s always a best practice to limit permissions on a service account to only what the account needs to perform its tasks.
Can service principals be used in Microsoft Graph API to perform actions that require administrator consent?
- A) Yes
- B) No
Answer: A) Yes
Explanation: Service principals can be used against Microsoft Graph API to perform actions that typically require an administrator’s consent.
True or False: Service accounts typically require MFA set up.
- True
- False
Answer: False
Explanation: Typically, MFA is not recommended for service accounts as these will need to authenticate programmatically.
True or False: A service account can monitor and manage certain types of service-level events.
- True
- False
Answer: True
Explanation: As part of a proper configuration, a service account can monitor and manage certain types of service-level events.
Service principals have built-in roles like:
- A) Owner
- B) Application developer
- C) User
- D) Both A and B
Answer: D) Both A and B
Explanation: In the context of Azure AD, service principals have built-in roles like Owner and Application Developer for managing access to resources.
True or False: The lifetime of a service principal’s credential is unlimited.
- True
- False
Answer: False
Explanation: The lifetime of a service principal’s credential is not unlimited, it’s typically set for a specific period and needs to be updated when it expires.
A service account is typically used by:
- A) Application
- B) User
- C) Group
- D) Role
Answer: A) Application
Explanation: A service account is an account that is not associated with a human being. It’s typically used by an application or a service running on a server.
Interview Questions
What is a service account in Azure?
A service account is a special type of account used by an application, not a person. The services use it to log in and access resources.
What are Azure AD service principals?
Azure AD service principals are identities created for use with applications, hosted services, and automated tools to access Azure resources. They help to avoid storing actual user credentials.
What permissions do service accounts have?
Service accounts have sufficient permissions to perform specific tasks related to the services they manage. The permissions can be modified but must be enough to allow them to perform functions to maintain the service.
What is the function of the Azure AD application object?
Azure AD application objects are used to model the application in Azure AD. The application object describes the application’s behavior, such as its permissions to call APIs and how users sign in.
How can you create a service principal in Azure AD?
You can create a service principal in Azure AD through the Azure portal, Azure CLI, or PowerShell. Most commonly, it involves creating an App registration, and then assigning the appropriate permissions.
What is the Microsoft Graph API’s role when dealing with service principals?
Microsoft Graph API acts as an interface, allowing programmers to manage service principals, such as creating, getting, listing, updating, or deleting them, without having to use the Azure portal.
When should you use a service account instead of a service principal?
Service accounts are designed for system-to-system communication, and they should ideally be used for such interactions. Service principals are better suited for scenarios where you need an identity for your application to interact with Azure services.
What is the importance of setting an appropriate scope while creating service principals?
The scope determines the access level that the service principal will have. So, setting an appropriate scope is crucial to ensure that the service principal only gets the minimum required permissions.
Can service accounts have multi-factor authentication enabled?
No, service accounts can’t have multi-factor authentication enabled because they aren’t tied to an individual user’s identity and are intended for system-to-system communication.
How do you assign a role to a service principal in Azure AD?
Roles can be assigned to a service principal either when you’re creating it or afterward. This can be done via the Azure portal by navigating to the “Roles and administrators” blade, selecting a role, and then adding the service principal to it.
How to delete a service principal in Azure AD?
To delete a service principal in Azure AD, you can use the Azure portal, Azure CLI, or PowerShell. In the portal, you go to the “App registrations” blade, find your application, and delete it. This also removes the associated service principal.
Do service principals have their own credentials?
Yes, service principals have their own credentials, which include a client secret or a certificate. These credentials are used, along with the object ID and tenant ID, to authenticate as the service principal.
What is a role scope in Azure AD?
The role scope in Azure AD is a boundary that the access applies to, such as a management group, subscription, resource group, or an individual resource.
Can you assign roles to service accounts in the same way as to service principals?
Yes, in Azure, you can assign roles to service accounts in the same manner as service principals. Like service principals, the roles assigned to a service account define what actions the service account can and can’t do.
Can the name of a service principal be changed after creation in Azure AD?
Yes, the service principal’s display name can be changed after creation. This can be done in the Azure portal by going to Azure Active Directory, selecting “App Registrations,” finding your application, and editing the display name.
extutorials.com