{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/ServicePrincipal",
  "title": "ServicePrincipal",
  "type": "object",
  "description": "Represents an instance of an application in a tenant. The service principal is the local representation used for sign-in and access to resources. It inherits certain properties from the application object.",
  "properties": {
    "id": {
      "type": "string",
      "readOnly": true,
      "description": "Unique identifier for the service principal (GUID)",
      "example": "abc123"
    },
    "appId": {
      "type": "string",
      "description": "The unique identifier for the associated application (application's appId). Required on create.",
      "example": "500123"
    },
    "displayName": {
      "type": "string",
      "description": "The display name for the service principal",
      "example": "example_value"
    },
    "description": {
      "type": [
        "string",
        "null"
      ],
      "description": "Description of the service principal's function",
      "example": "A sample description."
    },
    "servicePrincipalType": {
      "type": "string",
      "description": "Identifies whether the service principal represents an application, a managed identity, or a legacy app",
      "enum": [
        "Application",
        "ManagedIdentity",
        "Legacy",
        "SocialIdp"
      ],
      "example": "Application"
    },
    "appDisplayName": {
      "type": "string",
      "readOnly": true,
      "description": "The display name exposed by the associated application",
      "example": "example_value"
    },
    "appOwnerOrganizationId": {
      "type": [
        "string",
        "null"
      ],
      "format": "uuid",
      "readOnly": true,
      "description": "Contains the tenant ID where the application is registered",
      "example": "500123"
    },
    "accountEnabled": {
      "type": "boolean",
      "description": "true if the service principal account is enabled; false otherwise",
      "default": true,
      "example": true
    },
    "homepage": {
      "type": [
        "string",
        "null"
      ],
      "description": "Home page or landing page of the application",
      "format": "uri",
      "example": "https://www.example.com"
    },
    "loginUrl": {
      "type": [
        "string",
        "null"
      ],
      "description": "URL where the service provider redirects the user to Microsoft Entra ID to authenticate (SAML sign-on)",
      "format": "uri",
      "example": "https://www.example.com"
    },
    "logoutUrl": {
      "type": [
        "string",
        "null"
      ],
      "description": "URL used by Microsoft's authorization service to sign out a user",
      "format": "uri",
      "example": "https://www.example.com"
    },
    "replyUrls": {
      "type": "array",
      "description": "URLs where user tokens are sent for sign-in or redirect URIs for authorization codes and access tokens",
      "items": {
        "type": "string"
      },
      "example": "https://www.example.com"
    },
    "servicePrincipalNames": {
      "type": "array",
      "description": "Contains the list of identifierUris copied from the associated application plus the appId",
      "items": {
        "type": "string"
      },
      "example": []
    },
    "tags": {
      "type": "array",
      "description": "Custom strings used to categorize and identify the service principal. Values include WindowsAzureActiveDirectoryIntegratedApp.",
      "items": {
        "type": "string"
      },
      "example": []
    },
    "appRoles": {
      "type": "array",
      "readOnly": true,
      "description": "The roles exposed by the application that this service principal represents",
      "items": {
        "$ref": "#/components/schemas/AppRole"
      },
      "example": []
    },
    "oauth2PermissionScopes": {
      "type": "array",
      "readOnly": true,
      "description": "The delegated permission scopes exposed by the application",
      "items": {
        "$ref": "#/components/schemas/PermissionScope"
      },
      "example": []
    },
    "appRoleAssignmentRequired": {
      "type": "boolean",
      "description": "If true, users and other service principals must first be granted an app role assignment before they can sign in or obtain tokens",
      "default": false,
      "example": true
    },
    "keyCredentials": {
      "type": "array",
      "description": "Collection of certificate credentials",
      "items": {
        "$ref": "#/components/schemas/KeyCredential"
      },
      "example": []
    },
    "passwordCredentials": {
      "type": "array",
      "description": "Collection of password credentials",
      "items": {
        "$ref": "#/components/schemas/PasswordCredential"
      },
      "example": []
    },
    "createdDateTime": {
      "type": [
        "string",
        "null"
      ],
      "format": "date-time",
      "readOnly": true,
      "description": "Date and time the service principal was created",
      "example": "2026-01-15T10:30:00Z"
    }
  }
}