App Registrations vs. Enterprise Applications

In Microsoft Entra ID (formerly Azure AD), there are two menu options that look very similar – App Registrations and Enterprise Applications. When I first started working with Azure – I wondered what Enterprise Applications were and the documentation wasn’t satisfactory.

Software development tutorials frequently had me add new App Registrations, so I had a pretty good idea what they were for – but Enterprise Applications were a mystery.

When you add a new App Registration, you are prompted to decide if you are publishing a Single tenant or Multitenant application. This is the key to understanding Enterprise Applications.

An App Registration is something the publisher of the application uses. An Enterprise Application represents the consumer’s view of that application. If you specify Single tenant – an Enterprise Application will be created in parallel with the App Registration once you (or any user from your Entra ID tenant) login to the application.

If you create a new App Registration called MyApp and login to that application and then go the Enterprise Applications section, you will see an Enterprise Application has been created for MyApp. The Enterprise Application is used by administrators to control user access to the application. For instance, an administrator can use the Enterprise Application to set up mapping so that only certain users or groups can access the application. In short, App Registration is used by software developers and Enterprise Applications are used by administrators.

The Multitenant application example may be more clear. If you publish your application as Multitenant, when someone from another Entra ID tenant logs in – an Enterprise Application will be created in their Entra ID tenant, but not an App Registration. The publisher is the only tenant where an App Registration exists, but (in a Multitenant scenario) – there can be many Enterprise Applications (one per consuming tenant) where administrators in different tenants can control their users’ access to the application.

Each of these unique Enterprise Application (in different consuming tenants) will get a unique Object ID, but the Application ID in the Enterprise Application points back to the Application (client) ID of the referenced App Registration.