Differences Between App Registrations, Enterprise Applications, and Service Principals in Azure AD

Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. Within Azure AD, there are three main types of entities that can be used to represent applications: App Registrations, Enterprise Applications, and Service Principals.

An App Registration, also known as an application object, is used to represent a single application that is being integrated with Azure AD. This allows users to authenticate to the application using their Azure AD credentials, and for the application to access Azure AD-protected resources, such as Microsoft Graph.

An Enterprise Application is a representation of a group of related App Registrations. It is used to manage the permissions and access of a group of related applications as a whole, rather than managing them individually. This allows for example to allow a group of internal applications to share the same set of permissions.

A Service Principal is a non-interactive account that is used to represent an application within Azure AD. It is used to authenticate the application when calling Azure AD-protected resources, such as Microsoft Graph. Service Principal is the account that the application uses when authenticating with Azure AD, providing a secure means of access without requiring any direct user interaction.

"Service Principal" and "Enterprise Application" are often used interchangeably, but there can be subtle distinctions in their meanings. "Enterprise App" is typically used to refer to applications that are integrated with other systems or platforms, whereas "Service Principal" is a more general term for the security entity used to grant permissions or access to resources. The Service Principal object is where the application's instance in Azure AD is tracked and managed. When you register an application, both an application object and a Service Principal object that references it will be created by Azure AD.

In summary: App Registrations represent a single application Enterprise Application represent a group of related App Registrations Service Principals are non-interactive account that represents an application within Azure AD.