03 app service principal relationships

assets/diagrams/03-app-service-principal-relationships.html
Original HTML source
<!doctype html>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Application, Service Principal, and App Role Assignment</title>
<style>
  :root {
    color-scheme: light dark;
    --bg: #f8fafc;
    --fg: #172033;
    --muted: #5b6475;
    --line: #64748b;
    --neutral: #e2e8f0;
    --input: #bfdbfe;
    --process: #c7d2fe;
    --storage: #99f6e4;
    --external: #fde68a;
    --risk: #fecaca;
  }
  @media (prefers-color-scheme: dark) {
    :root {
      --bg: #0f172a;
      --fg: #e5e7eb;
      --muted: #a3adbd;
      --line: #94a3b8;
      --neutral: #334155;
      --input: #1d4ed8;
      --process: #4338ca;
      --storage: #0f766e;
      --external: #92400e;
      --risk: #991b1b;
    }
  }
  body {
    margin: 0;
    background: var(--bg);
    color: var(--fg);
    font: 14px/1.4 ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
  }
  main {
    max-width: 980px;
    margin: 32px auto;
    padding: 0 20px;
  }
  svg {
    width: 100%;
    height: auto;
    display: block;
  }
  .title {
    font-size: 22px;
    font-weight: 700;
    fill: var(--fg);
  }
  .label {
    font-size: 14px;
    font-weight: 650;
    fill: var(--fg);
  }
  .small {
    font-size: 12px;
    fill: var(--muted);
  }
  .node {
    stroke: var(--line);
    stroke-width: 1;
  }
  .input {
    fill: var(--input);
  }
  .process {
    fill: var(--process);
  }
  .storage {
    fill: var(--storage);
  }
  .external {
    fill: var(--external);
  }
  .risk {
    fill: var(--risk);
  }
  .edge {
    stroke: var(--line);
    stroke-width: 1.6;
    fill: none;
  }
  .edge-risk {
    stroke: #b91c1c;
    stroke-width: 1.8;
    fill: none;
  }
  .zone {
    fill: none;
    stroke: var(--line);
    stroke-width: 1.2;
    stroke-dasharray: 7 6;
    opacity: 0.9;
  }
</style>
<main>
  <svg viewBox="0 0 980 560" role="img" aria-labelledby="title desc">
    <title id="title">Application, Service Principal, and App Role Assignment</title>
    <desc id="desc">An application object defines the app. A service principal is the tenant-local identity. Owners and credentials affect the service principal. App role assignments grant access to resource APIs.</desc>
    <defs>
      <marker id="arrow" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
        <path d="M 0 0 L 10 5 L 0 10 z" fill="var(--line)"></path>
      </marker>
      <marker id="arrow-risk" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
        <path d="M 0 0 L 10 5 L 0 10 z" fill="#b91c1c"></path>
      </marker>
    </defs>

    <text class="title" x="32" y="42">Application / Service Principal / App Role Assignment</text>
    <text class="small" x="32" y="66">Teaching point: attack paths often depend on who can change the app identity and what that identity can access.</text>

    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 236 174 C 300 174 314 174 378 174"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 524 174 C 590 174 602 174 668 174"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 524 290 C 594 290 604 250 668 216"></path>
    <path class="edge-risk" fill="none" marker-end="url(#arrow-risk)" d="M 238 388 C 326 388 350 326 422 238"></path>
    <path class="edge-risk" fill="none" marker-end="url(#arrow-risk)" d="M 524 238 C 564 300 594 352 668 388"></path>

    <rect class="node process" x="72" y="132" width="164" height="84" rx="10"></rect>
    <text class="label" x="108" y="164">Application</text>
    <text class="small" x="108" y="186">global app definition</text>

    <rect class="node storage" x="378" y="132" width="146" height="84" rx="10"></rect>
    <text class="label" x="416" y="164">Service</text>
    <text class="label" x="416" y="182">Principal</text>
    <text class="small" x="416" y="202">tenant identity</text>

    <rect class="node external" x="668" y="132" width="166" height="84" rx="10"></rect>
    <text class="label" x="712" y="164">Resource API</text>
    <text class="small" x="712" y="186">Graph or Azure API</text>

    <rect class="node input" x="72" y="350" width="166" height="84" rx="10"></rect>
    <text class="label" x="116" y="382">Owner</text>
    <text class="small" x="116" y="404">can change settings</text>

    <rect class="node risk" x="378" y="274" width="146" height="70" rx="10"></rect>
    <text class="label" x="410" y="304">Credential</text>
    <text class="small" x="410" y="324">secret or cert</text>

    <rect class="node risk" x="668" y="350" width="166" height="84" rx="10"></rect>
    <text class="label" x="708" y="382">App Role</text>
    <text class="label" x="708" y="400">Assignment</text>

    <rect class="zone" x="350" y="102" width="206" height="270" rx="14"></rect>
    <text class="small" x="374" y="116">Tenant-local inspection area</text>

    <text class="small" x="72" y="486">Questions: who owns it, who can add credentials, and which app roles are assigned?</text>
  </svg>
</main>