Service Principal vs Managed Identities in Azure

Jul 27, 2022 · 1 min read · Post a comment

Two more arguably confusing identity objects in Azure AD – Service Principal and Managed Identities. Let’s tackle them down by defining what they are and how they distinguish from each other.

Service Principal

Service Principal is an identity object in Azure AD which represents an application, tool, a service, and whatever needs access to Azure resources on its behalf.

Think of it as a rough equivalent of GCP service accounts, or a service account in a more traditional way. The idea is to not create fake users per application or a service, whenever you need access to an Azure resource.

Moreover, a service account can be one of the following types:

  • Application (Enterprise apps)
  • Managed Identity
  • Legacy

As a rule of thumb, use it only when the app, service or automation tool doesn’t support a Managed Identity.

Managed Identities

Managed Identity is a type of Service Principal that can be used only with Azure resources.

Think of it as a VM, Logic App, Function and what not, that needs to authenticate and access another Azure resource like an Azure Key Vault, Blog Storage, ACR, just to mention few.

Two types of Managed Identities:

  • User-assigned
  • System-assigned

Use Managed Identities whenever possible.


To summarize, Managed Identities automatically manages the initial deployment and the renewal of the Service Principal, without any manual steps being called for. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.