AZURE Active Directory - What is the difference between a Service Principal and an Enterprise Application?

When you write an application as a developer, you will register it in a given tenant, and will specify it's properties. This happens in the App Registration blade in Azure AD. I'll dare an analogy by saying that the app is like a "class" in object oriented languages (with some static properties, which will be common to all instances)

By registering the application, in that given tenant if you use the portal this also automatically created a service principal for this application, which you can find in the "Enterprise Applications" blade of the Azure portal. To continue with my analogy the portal creates a kind of instance of that class. This service principal contains information which are related to both the application and the tenants and its users. For instance it contain the activity of the users, what they have consented to in particular.

Now if during the app registration / app management, you decide that your application is "multi-tenant", then, when the application is accessed in other tenants, another service principal (remember this instance) will be created in that tenant.

BTW, you go to the new App Registration (Preview) blade in the azure portal, when you create an application, you can now see nicely grouped by categories all the properties of the app (all the properties which are common to all the service principal). Now if, in the "Overview" tab of the app, you click on the link "Managed application in local directory", you'll get to the corresponding service principal in the same tenant (where you'll see which users have accessed the app, when, where you can grant admin consent - if you are tenant admin -, and see the activity and the audit logs)

This is indeed confusing and you are not the only one who feel that way. I guess this whole application/service principal is designed from the perspective of web applications, which can be scaled across multiple Azure AD tenants. For someone, who just wants to create some small scripts which connects to Azure services, understanding this whole thing is too much. Unfortunately there is no way around it. Azure Portal is also little be confusing for this part, it only started to make some sense when I used Azure CLI for it.

To access Azure resources programmatically we need to use Service Principal credentials. Service Principal is actually an instance of application, so we need to create an Application(App Registration) first too. If App Registration is added from portal, Service Principal is created automatically. With Azure CLI creating Application and Service Principal are two distinct steps.

Weird part is, credentials has to be obtained from Application(App Registrations -> select app -> Certificates & Secrets). While the role assignment for the Service Principal has to be done from Subscriptions(select subscription -> Access control(IAM) -> Role Assignments). Same process using CLI makes more sense.

Using Azure CLI

1. Register/create app

$ az ad app create --display-name "displayName"

2. Create service principal for the app just created

$ az ad sp create --id "applicationId"

3. Set application credentials

 $ az ad app credential reset --credential-description "some_description" --id "applicationId" 

OR

$ az ad sp credential reset --credential-description "some_description" --name "applicationDisplayName" --append

4. Assign roles to Service Principal to access resources in Azure.

$ az role assignment create --assignee "service principal object id/ApplicationId" --role role_name

And if you don't care about all this application/service principal stuff and just want to use Service Principal for accessing Azure resources, there is a shortcut.

$ az ad sp create-for-rbac --name "service_principal_name"

This will create application, service principal, set credentials on app, assign Contributor role to service principal and print the credentials !!

Since the name of the Application(in App Registrations) and Service Principal(Enterprise/All Applications) is same, we need to look carefully at Object ID and Application ID to find out which is which. On the top of that, Service Principals are listed as Enterprise Applications/All Applications in Azure Portal.

'Enterprise Applications' is just a category of Service Principal which satisfies two conditions.

1. Service Principal and Application registration should be in same tenant.
2. Service Principal should have tag 'WindowsAzureActiveDirectoryIntegratedApp'. If this tag is removed from Service Principal, it won't show under Enterprise Applications, but still be listed under 'All Applications'. ( Do not try in production!! )

Note that service principals created from cli did not appear in 'Enterprise Applications' and I had to add the tag manually.

$ az ad sp update --id "service_principal_object_id" --add tags WindowsAzureActiveDirectoryIntegratedApp