Application Service Principal - Overview, Setup, and Usage

The Application Service Principal is a Service Principal configuration stored at WOODY.IO Application level. Connections within the same Application can reference it by selecting the authentication type “Application Service Principal”, so they do not need to store their own Service Principal credentials per connection.

This enables a Application Owner (or other authorized role) to centrally manage Azure permissions for all Connections in a WOODY.IO Application, while keeping the credentials and permission design consistent across that Application.

When to use it

Use the Application Service Principal when you want:

• Central governance for credentials: manage one Service Principal for the Application instead of distributing credentials across many Connections.
• Consistent permissions (“least privilege”): grant exactly the permissions that the Application’s Connections need (e.g., specific Storage Accounts, SQL Servers, Databricks workspaces), then reuse them.
• Separation of duties: Application Owners configure the credential and Azure access; Connection creators select the auth method without needing the secret.

Scope and Behavior

• Scope: The Application Service Principal can be used by Connections within the same WOODY.IO Application (not across Applications).
• Dependency: Any Connection using “Application Service Principal” depends on that Application-level configuration; changes to the Application Service Principal can affect those Connections.

Security and operations

• Access control: Document which WOODY.IO roles/permissions are allowed to add/edit the Application Service Principal (if it’s “Owner only”, “Data Steward”, etc.).
• Secret rotation: Call out that rotating the Client Secret should be done by updating the Application Service Principal, and then re-validating affected Connections (or whatever the actual workflow is in WOODY.IO).
• Recommended Azure permissions: Encourage least-privilege assignments and scoping to only the required resources (high level guidance is enough; no need to enumerate every Azure role).

Troubleshooting 

If a Connection fails when using Application Service Principal, likely causes are:

• missing Azure permissions for the Service Principal
• wrong Tenant/Client/Secret values
• secret expired/rotated without updating WOODY.IO

Configure the Application Service Principal

1. Open the Application and navigate to the Management screen.
2. In the Details pane (right side), find Service Principal.
3. Click Add (or Edit if one already exists).
4. Fill in the form:
   • Name
   • Tenant ID
   • Client ID
   • Client Secret
5. Click Save.

The Client Secret field supports Key Vault references. Instead of storing the secret value directly in WOODY.IO, you can reference a secret stored in Azure Key Vault using the Key Vault reference syntax. For more information, see this article.

After saving, the Application Service Principal is available for Connections in this WOODY.IO Application.

Use it in a Connection

1. Create or edit a Connection in the same Application.
2. In the Connection’s Authentication Type, select Application Service Principal.
3. Save the Connection.

The Connection will authenticate using the Service Principal configured at Application level.

If you have any further questions, please feel free to Contact Us.