top of page
Search
  • Shannon

App Registration vs. Enterprise Applications

I had a colleague at Microsoft (who's not in identity) mention that it's confusing when someone looks in the Entra portal or Azure Active Directory in the Azure Portal and sees a place for Application Registrations AND a separate place for Enterprise Applications. I took a step back, put on my "I don't work in identity hat" and realized he's not necessarily wrong. For folks that may be newer to the identity space of Microsoft, I thought I'd take some time and demystify things a bit by explaining the difference between an application registration and an enterprise application.


Developers develop apps all day long. Many of these apps need some way to authenticate or authorize a user (maybe even delegate a user) and a lot of developers wind up using Azure Active Directory (AAD) as a result. AAD supports modern protocols like SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. AAD also supports password vaulting and automated sign-in capabilities for apps that support forms-based authentication.


When it comes to apps specifically, there are two representations of applications in AAD: application objects and service principals. By definition, "an AAD application is defined by its one and only application object, which resides in the AAD tenant where the application was registered (the "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances)."


Ok so an application object in simplified terms is a logical representation of an app inside 1 tenant. You can create a number of service principals based upon the application object, but there is only 1 application object per app. That app needs to be registered with AAD and these App Registrations are what winds up shown when you browse there on the portal. A developer has flexibility to configure the reply URL, a logout URL, and API access (if required) with an app registration. When the app is registered with AAD, the app is assigned a unique App ID (which is a GUID).


"Next we have Enterprise Applications. What are those? And why are they right by App Registrations?" you may find yourself asking.


Think of an Enterprise Application as something another vendor maintains. Something like Salesforce, G-Suite, ServiceNow, etc. The crazy part is the Enterprise Application section will ALSO show the App Registrations you've configured within your tenant. What you should do is browse out to the App Registrations blade and then the Enterprise Applications blade so you can cross reference the differences. I don't have the answers behind why the terminology is so similar or why there's slight overlap between the two.


I thought I'd leave you with a few links to learn how this is set up:

App Registration

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app


Integrating an Enterprise application

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal


And with that, I hope this post has helped you make sense of certain terminology within the land of Azure Active Directory!

3,170 views2 comments

Recent Posts

See All
bottom of page