Difference between "enterprise application" and "app registration" in Azure

Could someone please tell me what the difference is between "enterprise application" and "app registration" in Azure.

Appreciate if you could give me an example & why some application cannot be registered under blade "Enterprise application" and vise versa.

An App Registration is a way of reserving your app and URL with Azure AD, allowing it to communicate with Azure AD, hooking up your reply urls, and enabling AAD services on it. When you have an application that you are developing and want to integrate with Azure, you need to register your application in App Registrations, where you will configure your reply URL, logout URL, and API access if needed. When you register your application, Azure AD assigns a unique Application ID to it and allows you to add certain capabilities such as credentials, permissions, and sign-ons. The default settings allow only users from the tenant under which your app is registered to sign into your application.

The Enterprise Applications blade might be confused with App Registrations because the Enterprise Application blade contains the list of your service principals. However, the term Enterprise App generally refers to applications published by other companies in the AAD gallery that can be used within your organization. For example, if you want to integrate Facebook and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. Your own applications will also be represented in the Enterprise Applications blade as Service Principals, which are instantiations of your applications in the tenant.

App Registration: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-add-azure-ad-app

Integrating an Enterprise application (G-Suite): https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

This is, I agree, potentially confusing to a new-to-AAD developer or administrator. Nitin's answer does a good job of summarizing this but I wanted to add an answer with documentation references.

At https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals it says:

> The application object is the global representation of your > application for use across all tenants, and the service principal is > the local representation for use in a specific tenant.

Then, at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added, it says:

> You can manage application objects in the Azure portal through the > App Registrations experience. > Application objects describe the application > to Azure AD and can be considered the definition of the application, > allowing the service to know how to issue tokens to the application > based on its settings.

and

> You can manage service principals in the Azure portal through the > Enterprise Applications experience. Service principals are what govern > an application connecting to Azure AD and can be considered the > instance of the application in your directory. For any given > application, it can have at most one application object (which is > registered in a "home" directory) and one or more service principal > objects representing instances of the application in every directory > in which it acts.

So, for third-party apps, you'll only have a service principal in Enterprise applications. For first-party apps that are internal, you'll have something in both places - one to define the app (App registrations) and one to allow the app to actually sign in to Azure AD (Enterprise applications). When you define the first-party app in the App registrations, you'll also automatically create an entry in Enterprise apps. If you look at the two entries, you'll see that the Application ID links the two together.

Shorter way to understand is... App Registration are basically the apps local to the tenant/organization in which they have been registered to generate unique application id. Enterprise apps blade shows global apps (belonging to other tenants) which can be configured and used within your tenant/organization.

The workflow is you create the App Registration (Application) in your tenant, which also creates the Enterprise Application (Service principal) in your tenant. Then when another tenant user wants to login to your app, they grant your app the permissions it requires and the Enterprise Application (Service Principal) is created in their tenant. This effectively mirrors your application in their tenant.

Additionally, within Application registration you can configure OpenId-Connect (OpenID/OAuth) based authentication. Within Enterprise Apps you can configure SAML based auth

Simple put: Application Registration create an global application object which will allow the app to delegate to user identity for resource access, whereas the Enterprise application is the application identity(a service principle) in each AD tenant