Entra ID Applications

Entra ID is an identity and access management service that manages access to resources by applications. Each application registered with Entra ID consists of the definion of the application and one or more instances of the application.

Application Objects

An application object is the definition of an application in Entra ID and is called an Application Registration in the Entra ID portal. An application object may include the following key items:

• permissions requested for instances of the application

• secrets required to act as the application or service

Service Principals

A service principal is the instance of an application in Entra ID and is called an Enteprise Application in the Entra ID portal. A service principal may include the following key items:

• permissions granted to the instance of the application or service

• users and groups assigned to the instances of the application or service

• configuration for single sign-on to the instance of the application or service

• configuration for user provisioning in an associated SaaS application or service

Single-tenant vs Multi-tenant

The application can be defined as single-tenant or multi-tenant. A single-tenant application will have a single service principal in the Entra ID tenant where the application was defined. A multi-tenant application may have service principals in any Entra ID tenant where the application has been registered. Applications defined in the utexas tenant are configured as single-tenant applications by default.

Delegated Permissions vs. Application Permissions

The permissions for an application are either delegated permissions or application permissions. A delegated permission allows an application to perform an action on behalf of the user and can be utilized by the application only when the user is signed in to the application. Granting consent for delegated permissions can be approved by users when enabled via app consent policy. An application permission allows an application to perform an action as itself and can be utilized by the application without any user signed in. Granting consent for application permissions always requires approval by a tenant administrator.

Creating applications

Creation of application objects and service principals has been restricted to tenant administrators to conform with university policy regarding information access by external parties.

Requesting applications

Customers that need a new application should submit an Enterprise Authentication integration request and include the following information:

• An application name that starts with a valid department code followed by a hyphen (ex. EIS1-Department-Application-1, EIS1-Test Application for New Service)

• Set Microsoft Entra ID as the integration technology and App Registration as how your application integrates

References

• https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals

• https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added