azure azure-active-directory multi-tenant azure-service-principal

When an application object in app registrations is changed, how to update the service principal that is provisioned from it

For an Azure multi-tenant application, when we make any changes to the application object, the changes are only reflected in its service principal object in the application's home tenant (the tenant where the application is registered). How about the service principals that are provisioned based on this application object in other tenants? Is there any way or recommendations to handle the service principal update?

Triggering the admin consent flow again will update the service principal. But I have following questions:

Is there a way to detect the service principal need to be updated? From the service principal resource, it does not include something like last update timestamp. So how can we determine the service principal in a customer's tenant need to be updated and notify its administrator?
It appears that performing the consent again changes some properties of the service principal, such as permissions, but not some others, such as the application name. Is there any recommendations over this, like removing the existing the service principal and perform the admin consent again?

Solution

I'm afraid that there is not a way to detect the service principal need to be updated. After you update the app registration in home tenant, you need to notify your customer they need to do the admin consent again.

Yes, you can ask your customer tp delete the service principal (enterprise app) in their tenant and try to sign into the application or do the admin consent again. This would update the properties you required. They can do this using PowerShell or Microsoft Graph or in Azure Portal.

UPDATE:

Although there is not a property which represents the update time or version in servicePrincipal resource type or application resource type, we have another method to view AAD's audit logs.

On Azure Portal -> Azure Active Directory -> Audit logs, select ApplicationManagement for Category and Update service principal for Activity. And Select the Data as the time period (Up to one month). Then you can see which service principals have been updated.

You can also use Microsoft Graph API List directoryAudits to get the update log of a particular service principal.

An example:

GET https://graph.microsoft.com/v1.0/auditLogs/directoryaudits?$filter=activityDisplayName eq 'Update service principal' and targetResources/any(c:c/id eq '{service principal object id}')