2 min read
AAD App Registration vs Enterprise Application
Azure Active Directory (AAD) concepts can be challenging to grasp at times. One of these concepts that I have witnessed many people struggle to understand is the relationship between an App Registration and Enterprise Application. I hope to shed some light on this important topic.
We create App Registration and Enterprise Application when we need to integrate service or application with AAD. Essentially, these objects are used to identify a client service or application.
An App Registration is an AAD object that serves as the blueprint. This is where we define, among other details, what information the client service needs access to and how it is going to authenticate itself to AAD. The Enterprise Application is an instance of the App Registration in the AAD Tenant.
In Object Oriented Programming (OOP) terms:
- App Registration is the Class
- Enterprise Application is the Object
With the above in mind, we can conclude that just having an App Registration is not useful: We also need to create an instance of the App Registration, an Enterprise Application, to actually work with AAD. For example, we can only use an Enterprise Application in Azure Role-based Access Control(RBAC) and not the App Registration directly.
Single vs Multi-Tenant App Registration
One of the properties that we need to decide when we create an App Registration is whether we would like it to be a Single or Multi-Tenant. As you may have guessed, this property determines whether we can create Enteprise Applications using this App Registration in other AAD Tenants or is this limited to only the Home Tenant, which is where the App Registration is created.
Revisiting the OOP analogy:
- Single-Tenant: Objects (Enterprise Applications) can only be created in the Home Tenant of the Class (App Registration)
- Multi-Tenant: Objects (Enterprise Applications) can be created in other AAD Tenants as well
One use-case for a Multi-Tenant App Registration is when you want a service, reperesented by the App Registration, to access information across Tenants. In this case, the secrets of the App Registration need to be managed by the service developer/maintainer in one place: in the Home-Tenant of the App Registration.