I'm currently working on a project where I've set up a single app registration that handles both delegated permissions and application permissions across various services. I'm wondering if it's safer to create different app registrations for these permissions instead. My idea is to expose the Client ID with delegated permissions for public use, while keeping another one strictly for internal purposes. What are the best practices when it comes to managing app registrations in this way?
2 Answers
I'm not certain about the absolute best practices, but from what I've seen, using separate app registrations can really help in managing security. App registrations don’t cost anything, so I don’t see the point in mixing them for different parts of a system. Keeping them split based on their logical use and permissions seems like the way to go.
It's definitely a good idea to separate them. If one gets compromised, it could lead to a huge blast radius. By having distinct managed identities or service principals for each service, you reduce risk. Just like with key vaults, you split access to ensure that if one service account is compromised, the impact on your system is minimized.
What if the service serves multiple customers? Would you still recommend using a single managed identity for that service?