Monday, 15 July 2019

Difference between App Registration and Enterprise Application in Azure AD

Applications that are registered through Azure Portal (or programmatically) in your Azure Tenant is App Registration apps or Home Tenant Apps. Enterprise Applications are generally registered at another tenant (the one their publisher uses), when you consume the other tenant apps your Azure AD instance just provides service principal object for this app in your directory, and adds required permissions to the service principal object, and then assigns users.

When you create the App Registration (Application) in your tenant, it will create an Application object in your tenant directory. Then when another tenant user wants to consume your app, they login and grant required permissions for your app and the Enterprise Application (Service Principal) is created in their tenant. This service principal object effectively mirrors your application in their tenant.

App Registration (Application):

  • Your own Applications that are registered in App registrations.
  • When you create a new app in your tenant, it will create an Application object in your tenant directory.
  • Registered or Owned Apps.
  • You can change Reply URL for this app as it registered and owned by you.
  • You can use the Get-AzureADApplication cmdlet to list all the registered apps.
Get-AzureADApplication -All:$true
#Web Apps
Get-AzureADApplication -All:$true | Where-Object { $_.PublicClient -ne $true } | FT
#Native Client (Desktop/Mobile device) Apps
Get-AzureADApplication -All:$true | Where-Object { $_.PublicClient -eq $true } | FT

Enterprise Application (Service Principal):

  • Enterprise Applications are Service Principal objects that mirror the apps which are generally published by other companies.
  • When you grant permission for other tenant application to access resources in your tenant (upon registration or consent), a service principal object (Enterprise Application) will be created.
  • You can also grant permission for your own apps which also creates a service principal object in your tenant.
  • Integrated or Consumed Apps.
  • You can't configure Reply URL for the apps that are registered in other company tenants.
  • You can use the Get-AzureADServicePrincipal cmdlet to list all the Enterprise Applications.
Get-AzureADServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"}


No comments:

Post a Comment