2.3.5. App Registrations and Enterprise Apps
š” First Principle: App registrations and enterprise apps represent two sides of the same coin ā an app registration defines what an application IS and what it needs (permissions, redirect URIs, secrets), while an enterprise app is the in-tenant instance of that application that gets assigned to users. You need both for an app to work in your organization.
Imagine you're a contractor. Your contractor license (app registration) defines your trade, your bonding, and what you're legally authorized to do. Your badge at a specific job site (enterprise app / service principal) is what actually gets you through the door at that particular location. The license exists once; the badge exists at each site.
| Concept | What It Is | Where It Lives |
|---|---|---|
| App registration | The definition of the app: its client ID, permissions it needs, secrets, redirect URIs | Entra ID ā App registrations |
| Enterprise app (service principal) | The in-tenant instance of the app ā assigned to users, configured with SSO, has its own permission grants | Entra ID ā Enterprise applications |
| API permissions | What data/services the app is allowed to access (e.g., read user profile, send mail) | Defined in App registration, granted via consent |
| Consent | User or admin approval for the app to access specific permissions | Admin consent = granted for all users; user consent = per-user |
For the exam, the key distinction:
- You register an app once (or it comes pre-registered for Microsoft's own apps)
- You configure and assign the enterprise app per tenant
- Admin consent is required for high-privilege permissions (accessing all user email, reading all files) ā users can't grant these themselves
ā ļø Exam Trap: A single app registration can create enterprise apps (service principals) in multiple tenants. Microsoft's own apps ā like Teams or SharePoint ā are registered by Microsoft but appear as enterprise apps in every customer's tenant. You didn't register Teams; Microsoft did. You configure its enterprise app instance in your tenant.
Reflection Question: A developer builds an internal app that needs to read all users' calendars. They complete the app registration and add the Calendar.Read permission. Users try the app and get permission errors. What step is most likely missing?
