Demystifying ‘App Registrations’, ‘Service Principals’ and ‘Enterprise Applications’
There are only two hard things in Computer Science: cache invalidation and naming things.
— Phil Karlton
This post has something to do with the latter, namely, naming things.
Before we go any further, let me talk a little bit about the intended audience. If you are an absolute beginner to cloud identity I would recommend you to read this earlier post of mine on the topic before proceeding any further.
If you are new to Azure Active Directory or if you have created apps and registered them already, but want to dive a little deeper into the inner working of things, I believe this post will help you.
The differences between App registration, Service Principal and Enterprise Applications is something of a point of confusion for people who are new to AAD and let’s take a look at them one by one.
App Registrations
Let’s suppose you work for an organization called ‘The juice bar’ and you have developed a web application called ‘Milkshake’. If you want to use AAD as an Identity Provider you will have to first register Milkshake as a App Registration in Azure. A number of ways are there to do this such as the Azure portal, PowerShell, Azure CLI etc. Once you create an app registration, there will be a SINGLE application object to represent it and that will be in your home AAD (The juice bar in this case). Even if Milkshake is a multitenant App and other users from other AADs provide consent to it, a new app registration for Milkshake WONT be created in their AADs. In other words
App registrations are globally unique.
A service principal also get’s created in the home tenant’s AAD whenever an App registration is created.
You can use the Azure CLI command az ad app list to list and view the app registration objects in your AAD. I recommend saving this object to a json file and then comparing this to the service principals json file to see where exactly the differences lie.
For example
Get App registrations in a json file.
az ad app list > myApps.json
Get Service Principals in a json file.
az ad sp list >mySps.json
Now compare those two json files in any json viewer.
Let’s move on to Service Principals now.
Service Principals
Service Principals are local representations of the the above discussed global App registration object. A local service principal gets created for all tenants which has users for the global App. Let’s suppose your friend works for an Organization ‘The Bakery’ and he is using the web app ‘Milkshake’. A service principal will be created in the Bakery AAD for milkshake since your friend is using it but there will be only one App registration which will remain at ‘The Juice Bar’ AAD. The service principal object defines what the app can actually do in the specific tenant (organization), who can access the app, and what resources the app can access.
Application registrations have a one to many relationship with service principals.
Enterprise applications
If you are familiar with the Azure portal you must have noticed that there is no Service Principals tab to list all the service principals. Fret not, Enterprise applications blade to the rescue!
Navigate to Enterprise applications blade and you will see a list of all the service principals. Additionally you can add any predefined enterprise application mentioned in the plethora of popular apps from the gallery. For example let’s take Zoom. Suppose you want the users in your AAD to be able to login to Zoom with their existing credentials. You can add Zoom to your list of Enterprise apps and the moment you do it ( click on “create” button as shown below), a service principal for Zoom will get created in your AAD.
Without much further adieu, let me summarize:
Application registrations objects are globally unique and remains in the home tenant’s AAD
A service principal is the local representation, or application instance, of a global application object in a single tenant or directory.
Enterprise Applications is a list of service principals in your AAD. The blade also allows you to add new Applications from the Azure AD Gallery. A new Service Principal will get created and added to the Enterprise Applications lists whenever you do so.
