If you are familiar with service account in active directory may be it can help to better understand . Service principal like service account is used to avoid putting user credentials in a deployment or an install . If you want to deploy a Service that need domain admin or whatever role in AD you will use a service account instead of a user one . The same apply in Azure if you want to deploy something in an automated fashionn you should not pick a user identity . You should create a service principal or use an existing that will facilitate authentication to other services .Then you can apply a least privilege strategy . Also service principal are a common way to authenticate for automation tools like Terraform or Azure DevOps or some others services like Azure Kubernetes Service . You can authenticate as SP with Password or Certificate .