Menu
Could someone please tell me what the difference is between "enterprise application" and "app registration" in Azure.
Appreciate if you could give me an example & why some application cannot be registered under blade "Enterprise application" and vise versa.
204
Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.
App registration in Azure Active Directory is typically done by ISVs who want to develop external client applications to read and write data in Dataverse.
Search for and select Azure Active Directory. Under Manage, select App registrations > New registration. Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in.
Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
Applications that are registered through Azure Portal (or programmatically) in your Azure Tenant is App Registration apps or Home Tenant Apps. Enterprise Applications are generally registered at another tenant (the one their publisher uses), when you consume the other tenant apps your Azure AD instance just provides service principal object ...
App Registrations An App Registration is a way of reserving an application in Azure AD. The registration enables Azure to communicate with the application and pass tokens to it. When you have an application that you are developing and want to integrate it with Azure, you must register your application in the App Registrations experience.
One notable difference is that an App Registration can reside in any directory, but an Enterprise application (Service Principal) must be present in the same directory for every tenant where the application is running. (See Configure an OpenID/OAuth application from the Azure AD app gallery .)
The App Registration itself (or application object) — This is the actual application object where you configure application settings. The Enterprise Application (or Service Principal object) — This is a representation (or instantiation) of the application within a directory.
An App Registration is a way of reserving your app and URL with Azure AD, allowing it to communicate with Azure AD, hooking up your reply urls, and enabling AAD services on it. When you have an application that you are developing and want to integrate with Azure, you need to register your application in App Registrations, where you will configure your reply URL, logout URL, and API access if needed. When you register your application, Azure AD assigns a unique Application ID to it and allows you to add certain capabilities such as credentials, permissions, and sign-ons. The default settings allow only users from the tenant under which your app is registered to sign into your application.
The Enterprise Applications blade might be confused with App Registrations because the Enterprise Application blade contains the list of your service principals. However, the term Enterprise App generally refers to applications published by other companies in the AAD gallery that can be used within your organization. For example, if you want to integrate Facebook and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. Your own applications will also be represented in the Enterprise Applications blade as Service Principals, which are instantiations of your applications in the tenant.
App Registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app
Integrating an Enterprise application (G-Suite): https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial
135
This is, I agree, potentially confusing to a new-to-AAD developer or administrator. Nitin's answer does a good job of summarizing this but I wanted to add an answer with documentation references.
At https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals it says:
The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.
Then, at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added, it says:
You can manage application objects in the Azure portal through the App Registrations experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings.
and
You can manage service principals in the Azure portal through the Enterprise Applications experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory) and one or more service principal objects representing instances of the application in every directory in which it acts.
So, for third-party apps, you'll only have a service principal in Enterprise applications. For first-party apps that are internal, you'll have something in both places - one to define the app (App registrations) and one to allow the app to actually sign in to Azure AD (Enterprise applications). When you define the first-party app in the App registrations, you'll also automatically create an entry in Enterprise apps. If you look at the two entries, you'll see that the Application ID links the two together.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
