differences between aad application password and service principal password

Question

When creating a AAD application, we are able to create client secrets for the application. So I understand the client secrets are for the application. As a contrast, we can also create many service principals for the same application. And each service principal can has its own password using az ad sp create-for-rbac --name ServicePrincipalName. But I did not find a way to create such service principal password on Azure portal. So I am wondering whether these two kinds of credentials are referring the same thing.

Answer 1

These 2 credentials are actually different things.

The credential on the Application is the one that is most common, and the one that is recommended for almost all usage. It is the single credential that will let your code running in one tenant authenticate and access resources in other tenants where this application is consented/added.

The credential on the servicePrincipal only works for getting access to resources granted to the app in the particular tenant where the serviceprincipal lives. This is meant for a very narrow set of scenarios, and not something that is recommended for general use.

Answer 2

To my knowledge you can't create service principal credentials within the portal. You have to use the CLI method you described or a PowerShell command.

What's in the portal is strictly for creating client secrets for use with the OAuth client credential flow to get a token as a trusted client.

https://datatracker.ietf.org/doc/html/rfc6749#section-4.4 https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

A service principal, on the other hand, is treated more like a domain user within Azure. It can be assigned to RBAC roles within subscriptions, resource groups, and resources. This is handy for running app services as this identity and granting that account access to storage accounts, vaults, etc.