For an Azure multi-tenant application, when we make any changes to the application object, the changes are only reflected in its service principal object in the application's home tenant (the tenant where the application is registered). How about the service principals that are provisioned based on this application object in other tenants? Is there any way or recommendations to handle the service principal update?
Triggering the admin consent flow again will update the service principal. But I have following questions:
1#
I'm afraid that there is not a way to detect the service principal need to be updated. After you update the app registration in home tenant, you need to notify your customer they need to do the admin consent again.
2#
Yes, you can ask your customer tp delete the service principal (enterprise app) in their tenant and try to sign into the application or do the admin consent again. This would update the properties you required. They can do this using PowerShell or Microsoft Graph or in Azure Portal.
UPDATE:
Although there is not a property which represents the update time or version in servicePrincipal resource type or application resource type, we have another method to view AAD's audit logs.
On Azure Portal -> Azure Active Directory -> Audit logs, select ApplicationManagement for Category and Update service principal for Activity. And Select the Data as the time period (Up to one month). Then you can see which service principals have been updated.
You can also use Microsoft Graph API List directoryAudits to get the update log of a particular service principal.
An example:
GET https://graph.microsoft.com/v1.0/auditLogs/directoryaudits?$filter=activityDisplayName eq 'Update service principal' and targetResources/any(c:c/id eq '{service principal object id}')