Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between "enterprise application" and "app registration" in Azure

Could someone please tell me what the difference is between "enterprise application" and "app registration" in Azure.

Appreciate if you could give me an example & why some application cannot be registered under blade "Enterprise application" and vise versa.

like image 204
POSH Guy Avatar asked Jan 07 '19 09:01

POSH Guy


People also ask

What is an enterprise application in Azure?

Enterprise application is the application identity within your directory (Azure AD). The service principal (enterprise app) can only be assigned access to the directory it exists, and act as an instance of the application.

What is Azure app registration?

App registration in Azure Active Directory is typically done by ISVs who want to develop external client applications to read and write data in Dataverse.

How do I register my enterprise application in Azure?

Search for and select Azure Active Directory. Under Manage, select App registrations > New registration. Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in.

Is App Registration same as service principal?

Relationship between application objects and service principals. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.

What is the difference between application and enterprise application in azure?

Applications that are registered through Azure Portal (or programmatically) in your Azure Tenant is App Registration apps or Home Tenant Apps. Enterprise Applications are generally registered at another tenant (the one their publisher uses), when you consume the other tenant apps your Azure AD instance just provides service principal object ...

What is app registration in azure?

App Registrations An App Registration is a way of reserving an application in Azure AD. The registration enables Azure to communicate with the application and pass tokens to it. When you have an application that you are developing and want to integrate it with Azure, you must register your application in the App Registrations experience.

What is the difference between Azure AD app registration and service principal?

One notable difference is that an App Registration can reside in any directory, but an Enterprise application (Service Principal) must be present in the same directory for every tenant where the application is running. (See Configure an OpenID/OAuth application from the Azure AD app gallery .)

What is the difference between app registration and enterprise application?

The App Registration itself (or application object) — This is the actual application object where you configure application settings. The Enterprise Application (or Service Principal object) — This is a representation (or instantiation) of the application within a directory.


2 Answers

An App Registration is a way of reserving your app and URL with Azure AD, allowing it to communicate with Azure AD, hooking up your reply urls, and enabling AAD services on it. When you have an application that you are developing and want to integrate with Azure, you need to register your application in App Registrations, where you will configure your reply URL, logout URL, and API access if needed. When you register your application, Azure AD assigns a unique Application ID to it and allows you to add certain capabilities such as credentials, permissions, and sign-ons. The default settings allow only users from the tenant under which your app is registered to sign into your application.

The Enterprise Applications blade might be confused with App Registrations because the Enterprise Application blade contains the list of your service principals. However, the term Enterprise App generally refers to applications published by other companies in the AAD gallery that can be used within your organization. For example, if you want to integrate Facebook and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. Your own applications will also be represented in the Enterprise Applications blade as Service Principals, which are instantiations of your applications in the tenant.

App Registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app

Integrating an Enterprise application (G-Suite): https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

like image 135
Marilee Turscak - MSFT Avatar answered Oct 22 '22 21:10

Marilee Turscak - MSFT


This is, I agree, potentially confusing to a new-to-AAD developer or administrator. Nitin's answer does a good job of summarizing this but I wanted to add an answer with documentation references.

At https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals it says:

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.

Then, at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added, it says:

You can manage application objects in the Azure portal through the App Registrations experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings.

and

You can manage service principals in the Azure portal through the Enterprise Applications experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory) and one or more service principal objects representing instances of the application in every directory in which it acts.

So, for third-party apps, you'll only have a service principal in Enterprise applications. For first-party apps that are internal, you'll have something in both places - one to define the app (App registrations) and one to allow the app to actually sign in to Azure AD (Enterprise applications). When you define the first-party app in the App registrations, you'll also automatically create an entry in Enterprise apps. If you look at the two entries, you'll see that the Application ID links the two together.

like image 35
MikeBaz - MSFT Avatar answered Oct 22 '22 20:10

MikeBaz - MSFT