App Registration vs Enterprise Application: What is the Difference?
App Registration and Enterprise Application are two sides of the same OAuth identity in Entra ID. Learn what each represents and when you manage which.
App Registration vs Enterprise Application: What is the Difference?
Quick Definition
- App Registration — the definition of an application: identity, secrets/certs, redirect URIs, requested API permissions. Lives in the home tenant.
- Enterprise Application — the service principal representing that application inside a specific tenant: consented permissions, role assignments, conditional access exemptions, sign-in activity.
In simple terms:
App Registration is the blueprint; Enterprise Application is the running instance in your tenant.
Why the Difference Matters
- Many admins confuse the two, leading to misaudits and gaps.
- They appear in different blades in the Entra ID admin center.
- They are managed by different people (developers vs admins) and have different settings.
- For multi-tenant SaaS, the Enterprise Application in your tenant is what you can govern; the App Registration lives in the publisher's tenant.
Side-by-Side
| Aspect | App Registration | Enterprise Application |
|---|---|---|
| Object type | Application object | Service Principal |
| Where it lives | Home tenant only | Each tenant where consented |
| Where to find it | "App Registrations" blade | "Enterprise Applications" blade |
| Managed by | App developer / owner | Tenant admin |
| Defines | Identity, redirect URIs, secrets/certs, permissions request | Permissions consented, role assignments, user assignments, properties in this tenant |
| Owners | App owners | Tenant admins, Application Admin role |
| API permissions | Permissions the app requests | Permissions the app has in this tenant |
| Number per app | 1 | 1 per tenant where it's used |
How They Relate
- Developer creates an App Registration in tenant A.
- The same tenant gets a Service Principal automatically (Enterprise Application in tenant A).
- When tenant B consents to the multi-tenant version of the app, a new Service Principal is created in tenant B (Enterprise Application in tenant B).
- Tenant A admins manage the definition; tenant B admins manage their consented instance.
The App Registration is shared. The Enterprise Application is local.
What You Manage in Each
App Registration
- Display name, branding.
- Sign-in audience (single-tenant, multi-tenant).
- Redirect URIs.
- Client secrets and certificates.
- Federated credentials (Workload Identity Federation).
- Requested API permissions.
- Token configuration (claims, app roles).
- Authentication settings (public client, etc.).
Enterprise Application
- Properties (visible to users, enabled for users to sign in).
- Users and groups assigned to the app.
- Single sign-on settings (for SAML apps).
- Conditional Access policies applying to the app.
- Self-service settings.
- Provisioning (SCIM).
- Permissions consented in this tenant.
- Role assignments held by the SP.
Common Confusion
"I removed the App Registration but the app still works."
Because the Service Principal in another tenant still exists. Removing the App Registration in the home tenant invalidates new sign-ins eventually but the SP in consuming tenants persists until they remove it.
"I see the same app twice in the directory."
You're seeing both the Application object and the Service Principal in your home tenant. They're two related objects.
"The Enterprise App has permissions the App Registration doesn't request."
Permissions can be added at the SP level via Microsoft Graph API or via app-role assignments. Audit both planes.
Real-World Examples
1. Multi-Tenant SaaS
A SaaS vendor publishes "DocuMagic" with App Registration in their tenant. Your tenant admin consents to it; you now have an Enterprise Application named "DocuMagic" with the consented permissions. You can disable user sign-ins, assign users, configure SSO — but you can't change the app's redirect URIs.
2. Internal App
Your dev team creates "InternalReporting" App Registration. Same tenant, so a Service Principal exists too. Devs manage secrets in App Registration; admins manage user assignments in Enterprise Application.
3. First-Party Microsoft App
Microsoft Graph PowerShell, Azure CLI, etc., have App Registrations in Microsoft's tenant. You'll see the corresponding Service Principal in your Enterprise Applications when used.
Security Best Practices
- Audit both blades. Some risks live only on App Registration (long-lived secrets), some on Enterprise Application (excessive consents, user assignment).
- For multi-tenant apps, focus on Enterprise Application in your tenant — that's what you control.
- Tag both objects with consistent ownership and purpose.
- Apply Conditional Access at the Enterprise Application level for sensitive apps.
- Use admin consent workflow to centralize consent decisions on Enterprise Applications.
- Watch for SPs without matching App Registrations — common with multi-tenant SaaS, also possible after orphaned consents.
- Remove unused Enterprise Applications even if the App Registration is gone.
Checklist
- Both App Registrations and Enterprise Applications inventoried?
- Owners assigned in both planes?
- Consent governance via admin consent workflow?
- Conditional Access on sensitive Enterprise Applications?
- User consent restricted for high-risk scopes?
- Quarterly cleanup of unused Enterprise Applications?
- Detection on changes in either plane?
How Forestall Helps
Forestall correlates App Registrations and Enterprise Applications so you see the full picture per app:
- Definition + runtime view.
- Combined permission analysis.
- Owner and consent tracking.
- Risk scoring across both planes.
Frequently Asked Questions
Is an Enterprise Application the same as a Service Principal?
Effectively yes — Enterprise Application is the admin center's name for the Service Principal object.
Can I have an Enterprise Application without an App Registration in my tenant?
Yes — for multi-tenant apps, the App Registration lives in the publisher's tenant and you only have the SP.
Where do I revoke consent?
In the Enterprise Application blade for that app.
Where do I rotate the client secret?
In the App Registration blade (only the home tenant for the app).
Can App Registration permissions differ from Enterprise Application permissions?
The App Registration requests permissions; the Enterprise Application has whatever was actually consented — which can be a subset or include extras added directly to the SP.
Conclusion
App Registration and Enterprise Application are two views of the same OAuth identity, governed by different teams, exposed in different admin blades. Knowing the difference lets you audit both planes correctly, place controls in the right place, and avoid blind spots — especially for multi-tenant SaaS where you can only see and govern the Enterprise Application side.
See both planes of every app in your tenant.
Forestall correlates App Registrations and Service Principals so you see the full picture of every app's risk.