App registration is not just a technical task. It is a design decision that impacts security, access control, and governance.
Benefits of Registering an App
Registering an app allows it to integrate with the Microsoft identity platform and provides several advantages.
Branding customization ensures users see a familiar and trusted sign-in experience.
Tenant scoping allows you to control who can access the application.
Permission definition ensures that applications only request the access they genuinely need.
Credential management enables secure authentication for backend services.
Single-Tenant vs Multitenant Applications
Choosing between single-tenant and multitenant is one of the most important decisions during app registration.
A single-tenant app is accessible only within the tenant where it is registered. This is typical for internal business applications.
A multitenant app allows users from other tenants to sign in. This is common for SaaS applications intended for multiple organizations.
In multitenant scenarios, a service principal is created in each tenant where the app is used. This service principal is created during the first sign-in or admin consent in that tenant.
Audience Configuration
You configure tenant access by selecting the supported account types.
| Audience | Tenant Type | Who Can Sign In |
|---|---|---|
| Accounts in this directory only | Single-tenant | All users and guests in your tenant can access the app. |
| Accounts in any Microsoft Entra directory | Multitenant | Users from any work or school tenant can access the app. |
| Accounts in any Microsoft Entra directory and personal Microsoft accounts | Multitenant | Users with work, school, or personal Microsoft accounts can access the app. |
This setting is commonly tested in exams and must be chosen intentionally.
What Happens When an App Is Registered
After registration, the app receives a unique application (client) ID. Confidential clients also receive credentials such as secrets or certificates.
Important As of August 2024, newly registered apps receive v2 access tokens by default. This affects token format and available claims and is relevant for troubleshooting token behavior.
Application Objects and Service Principals
Microsoft Entra ID represents apps using two object types.
Application objects define the application globally.
Service principals represent the app’s local instance in a tenant.
The identity platform uses these objects to issue tokens, enforce consent, and apply policies.
Consent allows users or administrators to grant applications permission to access resources under defined scopes.