← All glossary terms
Microsoft Entra ID5 min read

App Registration vs Enterprise Application: What is the Difference?

App Registration and Enterprise Application are two sides of the same OAuth identity in Entra ID. Learn what each represents and when you manage which.

App Registration vs Enterprise Application: What is the Difference?

Quick Definition

  • App Registration — the definition of an application: identity, secrets/certs, redirect URIs, requested API permissions. Lives in the home tenant.
  • Enterprise Application — the service principal representing that application inside a specific tenant: consented permissions, role assignments, conditional access exemptions, sign-in activity.

In simple terms:

App Registration is the blueprint; Enterprise Application is the running instance in your tenant.


Why the Difference Matters

  • Many admins confuse the two, leading to misaudits and gaps.
  • They appear in different blades in the Entra ID admin center.
  • They are managed by different people (developers vs admins) and have different settings.
  • For multi-tenant SaaS, the Enterprise Application in your tenant is what you can govern; the App Registration lives in the publisher's tenant.

Side-by-Side

Aspect App Registration Enterprise Application
Object type Application object Service Principal
Where it lives Home tenant only Each tenant where consented
Where to find it "App Registrations" blade "Enterprise Applications" blade
Managed by App developer / owner Tenant admin
Defines Identity, redirect URIs, secrets/certs, permissions request Permissions consented, role assignments, user assignments, properties in this tenant
Owners App owners Tenant admins, Application Admin role
API permissions Permissions the app requests Permissions the app has in this tenant
Number per app 1 1 per tenant where it's used

How They Relate

  1. Developer creates an App Registration in tenant A.
  2. The same tenant gets a Service Principal automatically (Enterprise Application in tenant A).
  3. When tenant B consents to the multi-tenant version of the app, a new Service Principal is created in tenant B (Enterprise Application in tenant B).
  4. Tenant A admins manage the definition; tenant B admins manage their consented instance.

The App Registration is shared. The Enterprise Application is local.


What You Manage in Each

App Registration

  • Display name, branding.
  • Sign-in audience (single-tenant, multi-tenant).
  • Redirect URIs.
  • Client secrets and certificates.
  • Federated credentials (Workload Identity Federation).
  • Requested API permissions.
  • Token configuration (claims, app roles).
  • Authentication settings (public client, etc.).

Enterprise Application

  • Properties (visible to users, enabled for users to sign in).
  • Users and groups assigned to the app.
  • Single sign-on settings (for SAML apps).
  • Conditional Access policies applying to the app.
  • Self-service settings.
  • Provisioning (SCIM).
  • Permissions consented in this tenant.
  • Role assignments held by the SP.

Common Confusion

"I removed the App Registration but the app still works."

Because the Service Principal in another tenant still exists. Removing the App Registration in the home tenant invalidates new sign-ins eventually but the SP in consuming tenants persists until they remove it.

"I see the same app twice in the directory."

You're seeing both the Application object and the Service Principal in your home tenant. They're two related objects.

"The Enterprise App has permissions the App Registration doesn't request."

Permissions can be added at the SP level via Microsoft Graph API or via app-role assignments. Audit both planes.


Real-World Examples

1. Multi-Tenant SaaS

A SaaS vendor publishes "DocuMagic" with App Registration in their tenant. Your tenant admin consents to it; you now have an Enterprise Application named "DocuMagic" with the consented permissions. You can disable user sign-ins, assign users, configure SSO — but you can't change the app's redirect URIs.

2. Internal App

Your dev team creates "InternalReporting" App Registration. Same tenant, so a Service Principal exists too. Devs manage secrets in App Registration; admins manage user assignments in Enterprise Application.

3. First-Party Microsoft App

Microsoft Graph PowerShell, Azure CLI, etc., have App Registrations in Microsoft's tenant. You'll see the corresponding Service Principal in your Enterprise Applications when used.


Security Best Practices

  1. Audit both blades. Some risks live only on App Registration (long-lived secrets), some on Enterprise Application (excessive consents, user assignment).
  2. For multi-tenant apps, focus on Enterprise Application in your tenant — that's what you control.
  3. Tag both objects with consistent ownership and purpose.
  4. Apply Conditional Access at the Enterprise Application level for sensitive apps.
  5. Use admin consent workflow to centralize consent decisions on Enterprise Applications.
  6. Watch for SPs without matching App Registrations — common with multi-tenant SaaS, also possible after orphaned consents.
  7. Remove unused Enterprise Applications even if the App Registration is gone.

Checklist

  • Both App Registrations and Enterprise Applications inventoried?
  • Owners assigned in both planes?
  • Consent governance via admin consent workflow?
  • Conditional Access on sensitive Enterprise Applications?
  • User consent restricted for high-risk scopes?
  • Quarterly cleanup of unused Enterprise Applications?
  • Detection on changes in either plane?

How Forestall Helps

Forestall correlates App Registrations and Enterprise Applications so you see the full picture per app:

  • Definition + runtime view.
  • Combined permission analysis.
  • Owner and consent tracking.
  • Risk scoring across both planes.

Frequently Asked Questions

Is an Enterprise Application the same as a Service Principal?

Effectively yes — Enterprise Application is the admin center's name for the Service Principal object.

Can I have an Enterprise Application without an App Registration in my tenant?

Yes — for multi-tenant apps, the App Registration lives in the publisher's tenant and you only have the SP.

In the Enterprise Application blade for that app.

Where do I rotate the client secret?

In the App Registration blade (only the home tenant for the app).

Can App Registration permissions differ from Enterprise Application permissions?

The App Registration requests permissions; the Enterprise Application has whatever was actually consented — which can be a subset or include extras added directly to the SP.


Conclusion

App Registration and Enterprise Application are two views of the same OAuth identity, governed by different teams, exposed in different admin blades. Knowing the difference lets you audit both planes correctly, place controls in the right place, and avoid blind spots — especially for multi-tenant SaaS where you can only see and govern the Enterprise Application side.

App RegistrationEnterprise ApplicationService PrincipalMicrosoft Entra IDOAuth

See both planes of every app in your tenant.

Forestall correlates App Registrations and Service Principals so you see the full picture of every app's risk.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

App Registration vs Enterprise Application | Forestall