You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
When applications — whether they run in Azure, on-premises, or in other clouds — need to authenticate to Entra ID and access protected resources, they use app registrations and service principals. Understanding the relationship between these two objects is essential for building secure, integrated applications.
These two terms are often confused, but they serve distinct purposes:
An app registration is a global definition of an application. It lives in the home tenant where the application was registered and defines:
Think of the app registration as the blueprint of the application.
A service principal is the local representation of an application within a specific tenant. When an app registration is used (or consented to) in a tenant, Entra ID creates a service principal in that tenant.
Think of the service principal as the instance of the application in a particular tenant.
| Concept | Analogy |
|---|---|
| App registration | A class definition in object-oriented programming |
| Service principal | An instance (object) of that class |
| Type | Description |
|---|---|
| Application | Created from an app registration; represents an application |
| Managed identity | Created automatically when you enable a managed identity (covered in the previous lesson) |
| Legacy | Created for on-premises apps registered before the current app model |
az ad app create --display-name "My API Backend"
This creates the app registration. To create the service principal:
az ad sp create --id <application-id>
Applications authenticate using either client secrets or certificates.
az ad app credential reset --id <application-id> --append
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.