Difference between Entra ID Enterprise Apps and App Registrations

In Microsoft Entra ID, there are Enterprise Apps and App Registrations. Many administrators don’t know the difference between the two and confuse the two important concepts. But there is a major difference between them and it is good to know it.

Microsoft Entra ID App Registrations

App registrations are applications that are registered with Microsoft Entra ID and allow users to access services integrated with Microsoft Entra ID because Microsoft Entra ID knows the application and can authenticate and grant access to that user.
There are many such applications that are pre-integrated in Microsoft Entra ID.

Microsoft Entra ID is an independent identity system. So even Microsoft’s own services are just app registered within Microsoft Entra ID – for example, Exchange Online, SharePoint Online, but also, for example, Azure Portal and everything you use within the business Microsoft cloud.

In the same way, any other application or service, either your own or within other clouds and services, can be registered with Microsoft Entra ID. This allows you to provide unified authentication, including all security mechanisms, within Microsoft Entra ID, conditional access, etc.

Scope of app registrations can be local within the tenant or global. Global registrations make the apps potentially available also in other tenants. This is also the case for Microsoft 1st party services mentioned above registered with Microsoft Entra ID.

Microsoft Entra ID Enterprise Applications

Enterprise Apps in Microsoft Entra ID are authentication objects (service principals) used by apps registered with Microsoft Entra ID. Enterprise apps are equivalents to user objects in Microsoft Entra ID. But unlike standard user objects, enterprise apps do not authenticate via username and password, but rely on secrets and certificates for authentication.

Similar to regular user objects, enterprise applications have permissions assigned to what the application (service principal) can do within the Microsoft Entra ID. Each enterprise application is always local and valid only within the tenant.

Everything that users access must have an enterprise application in Microsoft Entra ID. Standard Microsoft applications are already defined and enabled. However, if a user wants to use something else, the enterprise application needs to be created in the Microsoft Entra ID and given the necessary permissions.

By default, any user can give consent to applications. This creates the enterprise application (service principal) in the Microsoft Entra ID tenant and the user can start using it. However, this default setting is risky and should be disabled so that only administrators can add new enterprise applications to the Microsoft Entra ID.