What's the purpose of Azure Active Directory Application credentials although service princial also has credentials

Question

Azure Active Directory has applications and service principals.

https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Both objects seem to have credentials. New-AzureADApplicationPasswordCredential New-AzureADServicePrincipalPasswordCredential

If both a service principal and an application object have credential(for example password), which one is used for authentication? If service principal's credential is used, what's the purpose of application object's credential? Is it for fallback when a service princial doesn't have credential?

I read this question, but I cannot understand the difference between application's password and service principal's one. Authentication difference between using AAD app key and Service Principal Password

Answer 1

Both of the two passwords can be used to authenticate, but the password of the service principal just can be used to authenticate in the tenant which it located in, the password of the application can be used to authenticate in all the tenants where its service principal instances located.

The service principal is just a instance of the application in a specific tenant, when a tenant consent an application, azure will install it as an Enterprise Application(i.e. serivice principal) in the tenant. There can be several service principals in different tenants, but the application is the only.