I've been using one app registration that has both delegated and application permissions for my project. It's being utilized by various services in the system. I'm starting to wonder if separating them into different app registrations would be safer. I'd like to know if that's the best practice or if there's a recommended approach for handling permissions here.
5 Answers
Splitting your app registrations is the way to go. Microsoft strongly recommends using the "least privileged" access approach. Get only the permissions you really need for the action at hand. When you can, prefer delegated access over app-only access. Mixing powerful application permissions with delegated ones in a single registration goes against the principle of least privilege.
If the one app registration gets compromised, the damage could be significant. It's generally a good idea to separate managed identities and service principals based on service use. That way, if something goes wrong, the repercussions are limited. Just like you wouldn’t throw all your keys into one vault, keep access scoped to what's necessary for each service.
Not totally sure about best practices myself, but I think if app registrations are free to create, there's really no reason to mix them up. Keeping them separate based on what they do and what access they need seems like the smarter move to me.
Definitely separate these out for a bunch of reasons.
But what if the service needs to handle multiple clients? Should you still go with separate managed identities in that case?