151

Could someone please tell me what the difference is between "enterprise application" and "app registration" in Azure.

Appreciate if you could give me an example & why some application cannot be registered under blade "Enterprise application" and vise versa.

David Klempfner
  • 8,700
  • 20
  • 73
  • 153
POSH Guy
  • 1,798
  • 2
  • 11
  • 15
  • https://social.msdn.microsoft.com/Forums/en-US/cde6dfc0-ba30-4cd7-8b0a-7420afb3bcff/difference-between-azure-ad-app-registration-and-enterprise-application – Joy Wang Jan 07 '19 at 09:14

6 Answers6

138

An App Registration is a way of reserving your app and URL with Azure AD, allowing it to communicate with Azure AD, hooking up your reply urls, and enabling AAD services on it. When you have an application that you are developing and want to integrate with Azure, you need to register your application in App Registrations, where you will configure your reply URL, logout URL, and API access if needed. When you register your application, Azure AD assigns a unique Application ID to it and allows you to add certain capabilities such as credentials, permissions, and sign-ons. The default settings allow only users from the tenant under which your app is registered to sign into your application.

The Enterprise Applications blade might be confused with App Registrations because the Enterprise Application blade contains the list of your service principals. However, the term Enterprise App generally refers to applications published by other companies in the AAD gallery that can be used within your organization. For example, if you want to integrate Facebook and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. Your own applications will also be represented in the Enterprise Applications blade as Service Principals, which are instantiations of your applications in the tenant.

App Registration: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app

Integrating an Enterprise application (G-Suite): https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

Marilee Turscak - MSFT
  • 7,367
  • 3
  • 18
  • 28
  • 1
    could i have 2 enterprise apps (instances) of a single registration? – Chris DaMour Dec 18 '19 at 03:22
  • @ChrisDaMour: Yes, you can have multiple instances of the same enterprise app. For example, ServiceNow Dev and ServiceNow Prod, both pointing to different ServiceNow instances – Solaflex Feb 11 '20 at 21:02
  • So... if I'm setting up inter-app authorisation between two services, using a service principal within the same _subscription_, is an Enterprise App necessary in this scenario? Will it be created regardless? I'm specifically talking about granting DataBricks access to ADLS Gen2. – Nick.Mc Jul 08 '20 at 06:45
  • @Marilee - There is also an option to do a registration under 'Enterprise applications' by clicking "New application". This will also create an entry under 'App registrations' Could you please help me understand when should I create new application by clicking "New application" under Enterprise applications? – Mihir Apr 13 '21 at 09:30
  • 3
    Looks like @Marilee expanded this answer into a [blog post](https://marileeturscak.com/posts/app-registrations-enterprise-applications-service-principals/) – Ben Jan 11 '22 at 18:19
  • 4
    This is one of many things in Azure that make it seem more like a misguided final project for someone's undergrad CS degree than a complete and well-designed product produced by one of the wealthiest and most powerful talent companies in the world – Jonathon Anderson Jul 28 '22 at 20:50
67

This is, I agree, potentially confusing to a new-to-AAD developer or administrator. Nitin's answer does a good job of summarizing this but I wanted to add an answer with documentation references.

At https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals it says:

The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.

Then, at https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added, it says:

You can manage application objects in the Azure portal through the App Registrations experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings.

and

You can manage service principals in the Azure portal through the Enterprise Applications experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory) and one or more service principal objects representing instances of the application in every directory in which it acts.

So, for third-party apps, you'll only have a service principal in Enterprise applications. For first-party apps that are internal, you'll have something in both places - one to define the app (App registrations) and one to allow the app to actually sign in to Azure AD (Enterprise applications). When you define the first-party app in the App registrations, you'll also automatically create an entry in Enterprise apps. If you look at the two entries, you'll see that the Application ID links the two together.

MikeBaz - MSFT
  • 2,938
  • 4
  • 28
  • 57
41

Shorter way to understand is... App Registration are basically the apps local to the tenant/organization in which they have been registered to generate unique application id. Enterprise apps blade shows global apps (belonging to other tenants) which can be configured and used within your tenant/organization.

The workflow is you create the App Registration (Application) in your tenant, which also creates the Enterprise Application (Service principal) in your tenant. Then when another tenant user wants to login to your app, they grant your app the permissions it requires and the Enterprise Application (Service Principal) is created in their tenant. This effectively mirrors your application in their tenant.

Nitin Gaur
  • 922
  • 1
  • 14
  • 21
11

Additionally, within Application registration you can configure OpenId-Connect (OpenID/OAuth) based authentication. Within Enterprise Apps you can configure SAML based auth

Bramah
  • 131
  • 1
  • 5
  • Technically correct, but off-topic and not answering the question. – Orangutech Jun 15 '21 at 20:53
  • 3
    this is actually kind of of important aspect to understand the different between application registration and enterprise app. Application Registration/OAuth2 allow the app to delegate to user identity for resource access, whereas the Enterprise application is application Identity(a service principle) – LarryX Jul 16 '21 at 16:23
  • 1
    Let's not be pedantic... by starting their answer with 'Additionally' it shows that they are adding additional, related information, off topic or not isn't relevant. – Mike Devenney Aug 10 '21 at 13:21
10

Well, there're some good answers here but they are too verbose so I feel the simplest thing is show three pictures and one statement:

  1. In the App Registration, we have "Application Objects": enter image description here

  2. To understand what you're seeing in the Enterprise Applications blade are "Service Principals": enter image description here

  3. And this is the relationship between the two in a multi-tenant example:

Adatum - The tenant used by the company that developed the HR app

Contoso - The tenant used by the Contoso organization, which is a consumer of the HR app

Fabrikam - The tenant used by the Fabrikam organization, which also consumes the HR app

enter image description here

enter image description here

And with that out of the way, we can understand this statement:

Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances). The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. The application object serves as the template from which common and default properties are derived for use in creating corresponding service principal objects.

Also said in a different way:

Application objects - Although there are exceptions, application objects can be considered the definition of an application.

Service principals - Can be considered an instance of an application. Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

DReact
  • 606
  • 6
  • 7
3

Simple put: Application Registration create an global application object which will allow the app to delegate to user identity for resource access, whereas the Enterprise application is the application identity(a service principle) in each AD tenant

LarryX
  • 591
  • 2
  • 7