After registration, the application object is created in the home tenant and assigned a globally unique application ID. This object acts as a blueprint.
Application Object
The application object defines how the application behaves across all tenants.
It specifies authentication settings, requested permissions, exposed APIs, and roles.
Application name, logo, and publisher.
Redirect URIs.
Authentication credentials such as certificates and secrets.
API scopes and dependencies.
App roles.
SSO configuration.
Provisioning and proxy settings.
The application object is comparable to a class in object-oriented programming.
Service Principal Object
A service principal is the security identity of the application in a specific tenant. It defines what the application can do within that tenant.
Application service principals, created when an app is used in a tenant.
Managed identities, which are recommended for Azure workloads.
Legacy service principals, which should be migrated when possible.
Role assignments.
Granted permissions.
Conditional Access policies.
Tenant-specific settings.
Relationship Between Application Objects and Service Principals
One global definition.
One service principal per tenant.
Single-tenant apps have one service principal. Multitenant apps have multiple service principals across tenants.
Management and Deletion Behavior
Changes to the application object affect only the home tenant’s service principal.
Deleting the application object deletes the home tenant service principal but does not delete service principals in other tenants.
This behavior is frequently misunderstood and is exam-relevant.