Often when a third party app offers single sign-on or other interactions with your Entra ID they offer a solution to create a service principal. To get the integration running you will provide the system or vendor with your tenant id, application id and a corresponding secret. The application then need access to Entra ID for the integration to work as expected and the application is given permissions in your environment.

Sign-in from this application is not governed by identity protection, such as conditional access policies, meaning that the application id + secret would work from everywhere at any time.

The Service Principal report show the different service principals in your environment, permissions given and where they sign in from. Often third party vendors ask for too much permissions and you should review the report to make sure that permissions and sign-ins are as expected.

We've classified permissions in critical, high, medium and low but a read role that is classified as low could be potentially business critical if exposed. Eg. if a service principal has been given mail.read permissions and the secret is compromised someone out there could read all your company e-mails.