Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID app registrations and enterprise apps

Two sides of the same coin — app registrations define an app, enterprise apps grant it to your tenant. Here's how they relate.

In Entra ID, every app that uses your tenant for sign-in or APIs has two related objects: an app registration and a service principal (also called an enterprise app). They confuse a lot of admins because both appear in the Entra admin center, but they describe different sides of the same trust relationship.

App registration

An app registration defines an application:

  • Its name, logo, and homepage URL.
  • The redirect URIs it can be signed into.
  • The API permissions it needs (Microsoft Graph, other resources).
  • Its client secrets and certificates.
  • Its branding for the consent screen.

An app registration lives in the home tenant of the app's developer. For multi-tenant apps, it's the developer's own tenant. For single-tenant apps, it's your own tenant.

Service principal / enterprise app

When that app is used in a specific tenant, that tenant gets a service principal — an instance of the application inside that tenant, with its own object ID, permission grants, role assignments, and Conditional Access scope. In the admin center this surfaces as an Enterprise application.

Two ways a service principal is created in your tenant:

  1. A user consents to the app on first sign-in.
  2. An admin adds it from the gallery or via the API.

Once created, the service principal holds:

  • Which permissions you've consented to (delegated or app-only).
  • Which users or groups are assigned to it (for app role assignment).
  • Conditional Access policies that target it.
  • Sign-in logs scoped to it.

Why this matters

  • For your own internal apps, you create the app registration in your tenant. Your enterprise app is the same tenant's service principal.
  • For third-party multi-tenant apps (Salesforce, GitHub, ServiceNow, every SaaS), the app registration lives at the vendor. Your tenant has the service principal.
  • API permissions are requested by the app registration but granted to the service principal — that's why you see permission grants on enterprise apps in your tenant.

Common admin tasks

  • Reviewing consented permissions on enterprise apps — particularly OAuth-consented apps that users approved.
  • Restricting user consent so users can only consent to low-risk permissions (the rest need admin consent).
  • Disabling enterprise apps for unused vendors.
  • Assigning users and groups to specific apps for SSO.
  • Setting up SAML SSO through an enterprise app configuration.

Audit considerations

OAuth consent attacks are a real risk: a malicious app convinces a user to grant broad Graph permissions. Defender for Cloud Apps surfaces newly granted permissions; Entra ID's App consent policies restrict what users can consent to in the first place.

Treat the enterprise apps list as a critical inventory — it's effectively your SaaS register.