An app registration is the identity profile for an application, not the application code itself. It tells Microsoft Entra ID how the app is allowed to sign in users or request tokens. It contains values developers copy into configuration, such as client ID, tenant, redirect URI, credentials, and permissions. When sign-in breaks, consent fails, or tokens contain the wrong audience, the app registration is often where engineers look first. It is the contract between the app, Entra ID, administrators, and downstream APIs.
Microsoft Entra app registration, application registration
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-06-02T07:49:29Z
Microsoft Learn
An app registration is the Microsoft Entra record that gives an application a client ID and defines identity-platform settings such as supported account types, redirect URIs, credentials, exposed APIs, and permissions. Microsoft Learn treats registration as the starting point for apps that request tokens.
App registrations live in Microsoft Entra ID and create an application object in a tenant. A related service principal represents that application in a tenant where it is used. The registration controls redirect URIs, supported account types, application ID URI, app roles, API permissions, optional claims, credentials, and federated identity credentials. Azure services, custom APIs, web apps, daemons, and single-page apps depend on these settings for OAuth 2.0 and OpenID Connect flows. It belongs to identity architecture, release governance, and application configuration management.
Why it matters
An app registration matters because a small identity setting can take down an entire application without changing application code. A missing redirect URI breaks sign-in. An expired secret breaks background jobs. An overbroad API permission creates audit risk. A wrong supported-account setting can expose an app to tenants it should never serve. A lost owner can delay urgent incident response. In mature Azure environments, app registrations are treated as production assets with owners, credential rotation, permission review, and deployment evidence. They also connect developers and identity administrators: one side needs working authentication, while the other must prevent accidental privilege, consent sprawl, and unmanaged secrets.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
In Microsoft Entra admin center app registrations, you see client ID, tenant relationship, redirect URIs, certificates, secrets, exposed APIs, app roles, and permissions during reviews.
Signal 02
In application settings, pipelines, and Key Vault references, the app registration appears as client ID, tenant ID, authority, secret name, certificate thumbprint, or federated credential.
Signal 03
In sign-in logs and token errors, it appears through invalid_client, invalid_redirect_uri, consent-required messages, wrong audience values, expired credentials, and missing service principals.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Register a web application so Microsoft Entra ID can issue tokens only to approved redirect URIs.
Expose a custom API with scopes or app roles that separate user consent from application permissions.
Replace long-lived client secrets with certificates or federated credentials for pipelines and workload automation.
Audit production applications for stale owners, expiring credentials, unused permissions, and risky multi-tenant settings.
Separate dev, test, and production identity contracts so one environment change cannot break another environment’s sign-in.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
University portal sign-in stabilized before enrollment
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A public university rebuilt its student portal and reused an old app registration. During testing, mobile sign-in failed because redirect URIs and supported account settings no longer matched the new architecture.
🎯Business/Technical Objectives
Keep enrollment sign-in availability above 99.9%.
Remove unused redirect URIs before launch.
Document ownership for emergency identity changes.
Reduce help desk tickets from failed mobile authentication.
✅Solution Using App registration
The identity team created separate app registrations for production and nonproduction, then exported the old manifest for comparison. They configured only the approved web and mobile redirect URIs, assigned an owner group, and replaced a shared secret with certificate credentials stored through a controlled process. Azure CLI captured client ID, object ID, credential metadata, and redirect URI output for the launch packet. Developers updated configuration references in App Service and mobile build variables, while testers validated sign-in from browser, iOS, and Android flows. Sign-in logs were monitored for invalid redirect and consent errors during the first enrollment week.
📈Results & Business Impact
Mobile invalid_redirect_uri failures fell from 18% in testing to under 0.3% after launch.
The help desk received 41% fewer authentication tickets than the prior enrollment period.
Credential rotation was scheduled 90 days before expiration instead of during a freeze.
Emergency ownership was resolved in minutes because an owner group replaced individual owners.
💡Key Takeaway for Glossary Readers
An app registration turns sign-in assumptions into enforceable configuration, so ownership and redirect hygiene matter before users arrive.
Case study 02
Factory API permissions reduced for supplier onboarding
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A manufacturing firm exposed a production scheduling API to suppliers. The first app registration requested broad directory permissions that security refused during the onboarding review.
🎯Business/Technical Objectives
Limit supplier apps to one scheduling API scope.
Separate supplier consent from internal administrator permissions.
Finish onboarding without delaying plant maintenance windows.
Create repeatable evidence for future suppliers.
✅Solution Using App registration
Architects split the identity design into a resource app registration for the scheduling API and separate client registrations for supplier applications. The API exposed one narrowly named scope and one app role for machine-to-machine integration. Azure CLI exported requiredResourceAccess, app roles, and service principal identifiers so security reviewers could compare the final design with the rejected version. The team removed broad Graph permissions, documented consent steps, and added an owner group shared by manufacturing IT and the API team. Supplier test tenants validated token audience and scope claims before production firewall and API Management rules were opened.
📈Results & Business Impact
Security approval time dropped from eight business days to two for the second supplier.
No broad directory permissions remained on the supplier client registrations.
Token claim validation caught one wrong audience value before production cutover.
The onboarding checklist became reusable for 14 planned supplier integrations.
💡Key Takeaway for Glossary Readers
App registrations are where API trust gets narrowed; good scope design prevents one integration from becoming a tenant-wide permission problem.
Case study 03
Nonprofit automation moved away from shared secrets
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A disaster-relief nonprofit ran donation reconciliation through scheduled jobs using client secrets stored in pipeline variables. One expired secret stopped financial reporting during a major storm response.
🎯Business/Technical Objectives
Eliminate untracked client secrets in deployment pipelines.
Restore donation reconciliation within four hours.
Preserve least privilege for finance automation.
Create monitoring before the next emergency campaign.
✅Solution Using App registration
The cloud team reviewed the app registration, service principal, and pipeline identity. They removed the expired secret, added a federated credential for the deployment workflow, and limited the app to the finance API permissions it actually used. Azure CLI listed credentials, owners, and permissions for the incident report, then exported a baseline manifest. Key application settings were moved from ad hoc variables into a documented configuration process. Finance and operations teams received a small runbook explaining the client ID, tenant ID, owner group, and where token failures appear in logs.
📈Results & Business Impact
Donation reconciliation was restored in 2.6 hours without creating another long-lived secret.
Secret-related pipeline failures dropped to zero over the next two campaign cycles.
The permission review removed three unused delegated permissions.
Incident evidence collection time fell from half a day to 35 minutes.
💡Key Takeaway for Glossary Readers
Modern app registration operations favor owned identities, monitored credentials, and auditable automation over secrets hidden in forgotten variables.
Why use Azure CLI for this?
With ten years of Azure engineering experience, I use Azure CLI for app registrations because identity drift is hard to see from portal clicks alone. CLI can list registrations, show client IDs, export redirect URIs, inspect permissions, check credentials, and capture evidence before a release. That repeatability is essential when production, staging, and development apps should differ only in approved ways. CLI is also safer for audit work because reviewers can save exact JSON output instead of screenshots. For changes, I still use review and change control, but CLI makes bulk owner checks, expiring secret reports, permission comparisons, and federated credential validation practical across hundreds of apps.
CLI use cases
List app registrations with owners and credential expiration dates for an access review.
Show one registration manifest before changing redirect URIs, app roles, scopes, or API permissions.
Compare requiredResourceAccess across environments to catch permission drift before release.
Create or inspect federated credentials used by GitHub Actions, AKS workload identity, or deployment automation.
Before you run CLI
Confirm tenant context first; app registrations are tenant objects and the same display name can exist multiple times.
Use least-privilege directory roles because create, credential, and permission changes can alter application access immediately.
Decide whether output may contain secret metadata or identifiers that should be stored in a restricted evidence location.
What output tells you
appId is the client ID used by code, while id is the application object ID used for many directory operations.
web, spa, and publicClient sections reveal redirect URI settings that decide whether specific sign-in flows can complete.
requiredResourceAccess, appRoles, oauth2PermissionScopes, and keyCredentials reveal permission shape and credential posture.
Mapped Azure CLI commands
Microsoft Entra app registration operations
direct
az ad app list --display-name <app-name> --output table
az ad appdiscoverIdentity
az ad app show --id <app-id>
az ad appdiscoverIdentity
az ad app credential list --id <app-id>
az ad app credentialdiscoverIdentity
az ad app permission list --id <app-id>
az ad app permissiondiscoverIdentity
az ad app federated-credential list --id <app-id>
az ad app federated-credentialdiscoverIdentity
Architecture context
Architecturally, an app registration is the identity-plane anchor for an application. It sits outside compute, storage, and network resources, yet every token-based call may depend on it. Web apps need redirect URIs and supported account types. APIs need scopes, app roles, and an application ID URI. Daemons need credentials or workload federation. Multi-tenant software needs explicit consent and publisher discipline. I separate app registration ownership from runtime hosting ownership, document which service principal corresponds to production, and avoid sharing one registration across unrelated workloads. That prevents confusing blast radius when a secret rotates, a permission changes, or one team changes a redirect URI for another team’s production path.
Security
Security impact is direct because an app registration defines who can request tokens, where users are redirected, what credentials exist, and which APIs the app can call. Overbroad delegated or application permissions can expose mail, files, directory data, or custom APIs. Weak client secrets, stale owners, wildcard-like redirect practices, and unreviewed multi-tenant settings increase attack surface. Use least privilege, certificate or federated credentials where appropriate, credential expiration monitoring, admin consent workflows, and separate registrations for environments. Treat client secrets as secrets, not configuration trivia. Review exposed scopes, app roles, reply URLs, and service principal assignments before every production identity change.
Cost
An app registration usually has no direct meter by itself, but it strongly affects operational cost. Unmanaged registrations create support tickets, outage bridges, security reviews, and emergency secret rotations. Sharing one registration across many applications can reduce setup effort but increases coordination cost and blast radius. Overbroad permissions can trigger audit remediation, while missing owners slow incident response. Premium Entra features, governance workflows, identity protection, and external identity scenarios may add licensing considerations around the users and controls involved. FinOps impact is mostly labor and risk: a clean registration inventory reduces wasted engineering hours and prevents expensive identity incidents during critical business windows.
Reliability
Reliability impact is high because authentication failure often looks like an application outage. Expired credentials stop background workers. Removed redirect URIs break user sign-in. Consent changes can block token acquisition for entire customer groups. Misaligned client IDs between slots, environments, or pipeline variables create confusing intermittent failures. Reliable teams document owners, rotate credentials before deadlines, test sign-in flows after changes, and keep separate registrations for production and nonproduction. They also monitor failed sign-ins and token errors, keep rollback manifests, and avoid last-minute portal edits. For critical applications, identity changes should have the same release discipline as code and database changes.
Performance
Runtime performance is indirect, but user-perceived speed can suffer when app registration settings cause authentication retries, consent loops, redirect mismatches, or token cache misses. An app with the wrong authority, redirect URI, or client ID may repeatedly send users through failed sign-in flows before the application ever handles a request. Background jobs can back off or fail when credentials expire. Large identity estates also affect operational performance: without CLI inventory, reviewing owners and credentials across hundreds of registrations is slow and error-prone. Good registration hygiene makes token acquisition predictable, shortens incident triage, and keeps deployment pipelines from waiting on manual identity investigation.
Operations
Operators manage app registrations through ownership reviews, credential rotation, permission audits, manifest exports, redirect URI validation, and incident troubleshooting. Common jobs include finding apps with expiring secrets, listing registrations without owners, comparing required API permissions across environments, confirming service principal existence, and checking federated credentials for GitHub Actions or workload identity. During incidents, operators inspect token audience, issuer, redirect URI, consent state, and credential validity before blaming hosting. Good runbooks include the production client ID, tenant ID, service principal object ID, owner group, change history, rollback manifest, and emergency contact for consent or credential changes. Changes should always reference a ticket, application owner, tested rollback path, and affected environment.
Common mistakes
Confusing the application object ID, client ID, and service principal object ID during scripts or access reviews.
Adding production redirect URIs manually in the portal without recording the change in IaC or release notes.
Leaving expired secrets, abandoned owners, or broad application permissions because nobody owns the registration lifecycle.
Using one app registration for unrelated workloads and creating a shared blast radius for credential rotation.