azure - AAD Privilege Escalation

Question

i was reading about AAD privilege escalation in one of the article where the author states that "if you compromise an Application Administrator account or the on-premise Sync Account you can read and modify directory settings, group memberships, user accounts, SharePoint sites and OneDrive files. This is done by assigning credentials to an existing service principal with these permissions and then impersonating these applications" my questions are?

1.how can i find what privilege my app admin account has and how it is different from the permissions 
 that "application " has.
2. what does assigning credentials to a service principal means? 

Answer 1

As mentioned in Carl's link,

1. The Application Administrator role allows users to create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph API. Applications can have different privileges added to them, and a user in the Application Administrator role can add extra permissions to an application and theoretically use those credentials to impersonate the app's identity and have more privileges than originally intended.

2. An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Just as a user is represented by a security principal called a user principal, an app is represented by a service principal. The service principal provides an identity for your app, allowing you to delegate only the necessary permissions to the app. It improves security if you only grant it the minimum permissions level needed to perform its management tasks. So if you assign credentials to a service principal you can grant or restrict the app's access to certain resources.