Service Principal and Application Objects
When you authorize the Robin app for the first time, it registers a new Service Principal object in your Azure directory. This is your “install” of the Robin application, which you can manage directly. Robin maintains the Application object itself, which allows us to develop and maintain the application for all of our customers in one place.
You can think of the Service Principal like installing a version of software, and the Application is the latest version available. If the Application changes (e.g. Adds/Removes a permission for features) you can choose to reauthorize the latest version to update the service principal as needed. This is an exceedingly rare event, and not necessary for running Robin.
Diagram for how this works (via Microsoft):
Adding new applications in Office 365
Microsoft outlines this requirement for Global Administrators and applications within Azure AD.
Only global administrators can:
- Add apps from the Azure AD app gallery (pre-integrated 3rd Party Apps)
- Publish an app using the Azure AD Application Proxy
When you first try to sign into Robin’s application, you’ll need to be a Global administrator.
During sign up/in users are asked to give permission to the app to access their profile and other permissions. The first person to give consent causes a service principal representing the app to be added to the directory.
Once you’ve added the application to your directory, the Global Administrator role is no longer necessary to manage the settings.
Enabling “Users may give applications permission to access their data” will allow regular users assigned to the app to sign into existing service principals. It does not grant users the right to create new service principals (i.e. other applications you haven’t approved). Adding new applications is managed by the “Users may add integrated applications” option instead, which can remain disabled.
- Who has permission to add applications to my Azure AD instance? Global Admins + App
- Registration (Microsoft)