Service Principals and App Registrations

When applications — whether they run in Azure, on-premises, or in other clouds — need to authenticate to Entra ID and access protected resources, they use app registrations and service principals. Understanding the relationship between these two objects is essential for building secure, integrated applications.

---

App Registration vs Service Principal

These two terms are often confused, but they serve distinct purposes:

App Registration

An app registration is a global definition of an application. It lives in the home tenant where the application was registered and defines:

• The application's identity (client ID, or application ID)
• Authentication settings (redirect URIs, supported account types)
• Credentials (client secrets or certificates)
• API permissions the application requires
• Roles and scopes the application exposes

Think of the app registration as the blueprint of the application.

Service Principal

A service principal is the local representation of an application within a specific tenant. When an app registration is used (or consented to) in a tenant, Entra ID creates a service principal in that tenant.