Application, Service Principal, and App Role Assignment An application object defines the app. A service principal is the tenant-local identity. Owners and credentials affect the service principal. App role assignments grant access to resource APIs. Application / Service Principal / App Role Assignment Teaching point: attack paths often depend on who can change the app identity and what that identity can access. Application global app definition Service Principal tenant identity Resource API Graph or Azure API Owner can change settings Credential secret or cert App Role Assignment Tenant-local inspection area Questions: who owns it, who can add credentials, and which app roles are assigned?