If you are new to Azure AD (now called Microsoft Entra ID), one of the most confusing topics is the difference between App registrations and Enterprise applications. Many developers assume they are the same thing because they often see the same app name in both places.
They are closely related, but they serve different purposes. This article breaks it down in a simple, developer-friendly way.
The Root of the Confusion
When you register an application in Azure AD:
- You see it under App registrations
- You also see the same app under Enterprise applications
This naturally raises questions like:
- Why does the same app exist in two places?
- Do I need both?
- Which one should I configure?
The short answer is:
App registrations define the application. Enterprise applications control how that application behaves in a tenant.
Let’s unpack this step by step.
App Registrations: The Application Blueprint
Think of App registrations as the place where you define your application.
When you create an app registration, Azure AD creates an Application Object. This object is global to the tenant where it was created and acts as a blueprint.
What lives here?
- Application (Client) ID
- Redirect URIs
- Supported account types
- API permissions your app requests
- Certificates and client secrets
- Exposed APIs (if your app is an API)
In simple terms:
App registrations describe what the app is and what it wants to do.
You usually work here when:
- Creating a new app
- Adding a client secret or certificate
- Defining API scopes
- Configuring authentication flows
Enterprise Applications: The App Inside a Tenant
Enterprise applications represent the Service Principal. A service principal is the actual instance of an application inside a tenant.
Every time an application is used in a tenant:
Azure AD creates a service principal
That service principal appears under Enterprise applications
This applies to:
- Apps you registered yourself
- Microsoft apps (e.g., Microsoft Graph)
- Third-party SaaS apps (e.g., GitHub, Jira, Salesforce)
What lives here?
- Service Principal Object ID
- User and group assignments
- Admin consent and permissions granted
- Single Sign-On configuration (SAML, OIDC, etc.)
- Sign-in logs and audit logs
In simple terms:
Enterprise applications control who can use the app and what access it has in your tenant.
A Simple Developer Analogy
If you come from a programming background, this analogy helps:
- Application Object (App registrations) → Class
- Service Principal (Enterprise applications) → Object (instance of the class)
The class defines the structure. The object is what actually runs and interacts with the system.
Final Takeaway
If you remember just one thing, remember this:
App registrations define the application. Enterprise applications govern its presence and behavior in a tenant.
Once you see App registrations as the *blueprint *and Enterprise applications as the running instance, the confusion disappears.