az ad app list --display-name <app-name> --output tableApp registration
An app registration is the identity profile for an application, not the application code itself. It tells Microsoft Entra ID how the app is allowed to sign in users or request tokens. It contains values developers copy into configuration, such as client ID, tenant, redirect URI, credentials, and permissions. When sign-in breaks, consent fails, or tokens contain the wrong audience, the app registration is often where engineers look first. It is the contract between the app, Entra ID, administrators, and downstream APIs.
Source: Microsoft Learn - Register an application in Microsoft Entra ID Reviewed 2026-06-02T07:49:29Z
- Exam trap
- Confusing the application object ID, client ID, and service principal object ID during scripts or access reviews.
- Production check
- Verify the production client ID in code or Key Vault matches the intended app registration before release.
Article details and learning context
- Aliases
- Microsoft Entra app registration, application registration
- Difficulty
- fundamentals
- CLI mappings
- 5
- Last verified
- 2026-06-02T07:49:29Z
- Review level
- template-spec-upgraded
- Article depth
- field-manual-template-specs
Understand the concept
Why it matters
An app registration matters because a small identity setting can take down an entire application without changing application code. A missing redirect URI breaks sign-in. An expired secret breaks background jobs. An overbroad API permission creates audit risk. A wrong supported-account setting can expose an app to tenants it should never serve. A lost owner can delay urgent incident response. In mature Azure environments, app registrations are treated as production assets with owners, credential rotation, permission review, and deployment evidence. They also connect developers and identity administrators: one side needs working authentication, while the other must prevent accidental privilege, consent sprawl, and unmanaged secrets.
Official wording and source
An app registration is the Microsoft Entra record that gives an application a client ID and defines identity-platform settings such as supported account types, redirect URIs, credentials, exposed APIs, and permissions. Microsoft Learn treats registration as the starting point for apps that request tokens.
Technical context
App registrations live in Microsoft Entra ID and create an application object in a tenant. A related service principal represents that application in a tenant where it is used. The registration controls redirect URIs, supported account types, application ID URI, app roles, API permissions, optional claims, credentials, and federated identity credentials. Azure services, custom APIs, web apps, daemons, and single-page apps depend on these settings for OAuth 2.0 and OpenID Connect flows. It belongs to identity architecture, release governance, and application configuration management.
Exam context
Compare with
Where it is used
Where you see it
- In Microsoft Entra admin center app registrations, you see client ID, tenant relationship, redirect URIs, certificates, secrets, exposed APIs, app roles, and permissions during reviews.
- In application settings, pipelines, and Key Vault references, the app registration appears as client ID, tenant ID, authority, secret name, certificate thumbprint, or federated credential.
- In sign-in logs and token errors, it appears through invalid_client, invalid_redirect_uri, consent-required messages, wrong audience values, expired credentials, and missing service principals.
Common situations
- Register a web application so Microsoft Entra ID can issue tokens only to approved redirect URIs.
- Expose a custom API with scopes or app roles that separate user consent from application permissions.
- Replace long-lived client secrets with certificates or federated credentials for pipelines and workload automation.
- Audit production applications for stale owners, expiring credentials, unused permissions, and risky multi-tenant settings.
- Separate dev, test, and production identity contracts so one environment change cannot break another environment’s sign-in.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 University portal sign-in stabilized before enrollment Scenario, objectives, solution, measured impact, and takeaway.
A public university rebuilt its student portal and reused an old app registration. During testing, mobile sign-in failed because redirect URIs and supported account settings no longer matched the new architecture.
- Keep enrollment sign-in availability above 99.9%.
- Remove unused redirect URIs before launch.
- Document ownership for emergency identity changes.
- Reduce help desk tickets from failed mobile authentication.
The identity team created separate app registrations for production and nonproduction, then exported the old manifest for comparison. They configured only the approved web and mobile redirect URIs, assigned an owner group, and replaced a shared secret with certificate credentials stored through a controlled process. Azure CLI captured client ID, object ID, credential metadata, and redirect URI output for the launch packet. Developers updated configuration references in App Service and mobile build variables, while testers validated sign-in from browser, iOS, and Android flows. Sign-in logs were monitored for invalid redirect and consent errors during the first enrollment week.
- Mobile invalid_redirect_uri failures fell from 18% in testing to under 0.3% after launch.
- The help desk received 41% fewer authentication tickets than the prior enrollment period.
- Credential rotation was scheduled 90 days before expiration instead of during a freeze.
- Emergency ownership was resolved in minutes because an owner group replaced individual owners.
An app registration turns sign-in assumptions into enforceable configuration, so ownership and redirect hygiene matter before users arrive.
Scenario 02 Factory API permissions reduced for supplier onboarding Scenario, objectives, solution, measured impact, and takeaway.
A manufacturing firm exposed a production scheduling API to suppliers. The first app registration requested broad directory permissions that security refused during the onboarding review.
- Limit supplier apps to one scheduling API scope.
- Separate supplier consent from internal administrator permissions.
- Finish onboarding without delaying plant maintenance windows.
- Create repeatable evidence for future suppliers.
Architects split the identity design into a resource app registration for the scheduling API and separate client registrations for supplier applications. The API exposed one narrowly named scope and one app role for machine-to-machine integration. Azure CLI exported requiredResourceAccess, app roles, and service principal identifiers so security reviewers could compare the final design with the rejected version. The team removed broad Graph permissions, documented consent steps, and added an owner group shared by manufacturing IT and the API team. Supplier test tenants validated token audience and scope claims before production firewall and API Management rules were opened.
- Security approval time dropped from eight business days to two for the second supplier.
- No broad directory permissions remained on the supplier client registrations.
- Token claim validation caught one wrong audience value before production cutover.
- The onboarding checklist became reusable for 14 planned supplier integrations.
App registrations are where API trust gets narrowed; good scope design prevents one integration from becoming a tenant-wide permission problem.
Scenario 03 Nonprofit automation moved away from shared secrets Scenario, objectives, solution, measured impact, and takeaway.
A disaster-relief nonprofit ran donation reconciliation through scheduled jobs using client secrets stored in pipeline variables. One expired secret stopped financial reporting during a major storm response.
- Eliminate untracked client secrets in deployment pipelines.
- Restore donation reconciliation within four hours.
- Preserve least privilege for finance automation.
- Create monitoring before the next emergency campaign.
The cloud team reviewed the app registration, service principal, and pipeline identity. They removed the expired secret, added a federated credential for the deployment workflow, and limited the app to the finance API permissions it actually used. Azure CLI listed credentials, owners, and permissions for the incident report, then exported a baseline manifest. Key application settings were moved from ad hoc variables into a documented configuration process. Finance and operations teams received a small runbook explaining the client ID, tenant ID, owner group, and where token failures appear in logs.
- Donation reconciliation was restored in 2.6 hours without creating another long-lived secret.
- Secret-related pipeline failures dropped to zero over the next two campaign cycles.
- The permission review removed three unused delegated permissions.
- Incident evidence collection time fell from half a day to 35 minutes.
Modern app registration operations favor owned identities, monitored credentials, and auditable automation over secrets hidden in forgotten variables.
Azure CLI
With ten years of Azure engineering experience, I use Azure CLI for app registrations because identity drift is hard to see from portal clicks alone. CLI can list registrations, show client IDs, export redirect URIs, inspect permissions, check credentials, and capture evidence before a release. That repeatability is essential when production, staging, and development apps should differ only in approved ways. CLI is also safer for audit work because reviewers can save exact JSON output instead of screenshots. For changes, I still use review and change control, but CLI makes bulk owner checks, expiring secret reports, permission comparisons, and federated credential validation practical across hundreds of apps.
Useful for
- List app registrations with owners and credential expiration dates for an access review.
- Show one registration manifest before changing redirect URIs, app roles, scopes, or API permissions.
- Compare requiredResourceAccess across environments to catch permission drift before release.
- Create or inspect federated credentials used by GitHub Actions, AKS workload identity, or deployment automation.
Before you run a command
- Confirm tenant context first; app registrations are tenant objects and the same display name can exist multiple times.
- Use least-privilege directory roles because create, credential, and permission changes can alter application access immediately.
- Decide whether output may contain secret metadata or identifiers that should be stored in a restricted evidence location.
What the output tells you
- appId is the client ID used by code, while id is the application object ID used for many directory operations.
- web, spa, and publicClient sections reveal redirect URI settings that decide whether specific sign-in flows can complete.
- requiredResourceAccess, appRoles, oauth2PermissionScopes, and keyCredentials reveal permission shape and credential posture.
Mapped commands
Microsoft Entra app registration operations
directaz ad app show --id <app-id>az ad app credential list --id <app-id>az ad app permission list --id <app-id>az ad app federated-credential list --id <app-id>Architecture context
Architecturally, an app registration is the identity-plane anchor for an application. It sits outside compute, storage, and network resources, yet every token-based call may depend on it. Web apps need redirect URIs and supported account types. APIs need scopes, app roles, and an application ID URI. Daemons need credentials or workload federation. Multi-tenant software needs explicit consent and publisher discipline. I separate app registration ownership from runtime hosting ownership, document which service principal corresponds to production, and avoid sharing one registration across unrelated workloads. That prevents confusing blast radius when a secret rotates, a permission changes, or one team changes a redirect URI for another team’s production path.
- Security
- Security impact is direct because an app registration defines who can request tokens, where users are redirected, what credentials exist, and which APIs the app can call. Overbroad delegated or application permissions can expose mail, files, directory data, or custom APIs. Weak client secrets, stale owners, wildcard-like redirect practices, and unreviewed multi-tenant settings increase attack surface. Use least privilege, certificate or federated credentials where appropriate, credential expiration monitoring, admin consent workflows, and separate registrations for environments. Treat client secrets as secrets, not configuration trivia. Review exposed scopes, app roles, reply URLs, and service principal assignments before every production identity change.
- Cost
- An app registration usually has no direct meter by itself, but it strongly affects operational cost. Unmanaged registrations create support tickets, outage bridges, security reviews, and emergency secret rotations. Sharing one registration across many applications can reduce setup effort but increases coordination cost and blast radius. Overbroad permissions can trigger audit remediation, while missing owners slow incident response. Premium Entra features, governance workflows, identity protection, and external identity scenarios may add licensing considerations around the users and controls involved. FinOps impact is mostly labor and risk: a clean registration inventory reduces wasted engineering hours and prevents expensive identity incidents during critical business windows.
- Reliability
- Reliability impact is high because authentication failure often looks like an application outage. Expired credentials stop background workers. Removed redirect URIs break user sign-in. Consent changes can block token acquisition for entire customer groups. Misaligned client IDs between slots, environments, or pipeline variables create confusing intermittent failures. Reliable teams document owners, rotate credentials before deadlines, test sign-in flows after changes, and keep separate registrations for production and nonproduction. They also monitor failed sign-ins and token errors, keep rollback manifests, and avoid last-minute portal edits. For critical applications, identity changes should have the same release discipline as code and database changes.
- Performance
- Runtime performance is indirect, but user-perceived speed can suffer when app registration settings cause authentication retries, consent loops, redirect mismatches, or token cache misses. An app with the wrong authority, redirect URI, or client ID may repeatedly send users through failed sign-in flows before the application ever handles a request. Background jobs can back off or fail when credentials expire. Large identity estates also affect operational performance: without CLI inventory, reviewing owners and credentials across hundreds of registrations is slow and error-prone. Good registration hygiene makes token acquisition predictable, shortens incident triage, and keeps deployment pipelines from waiting on manual identity investigation.
- Operations
- Operators manage app registrations through ownership reviews, credential rotation, permission audits, manifest exports, redirect URI validation, and incident troubleshooting. Common jobs include finding apps with expiring secrets, listing registrations without owners, comparing required API permissions across environments, confirming service principal existence, and checking federated credentials for GitHub Actions or workload identity. During incidents, operators inspect token audience, issuer, redirect URI, consent state, and credential validity before blaming hosting. Good runbooks include the production client ID, tenant ID, service principal object ID, owner group, change history, rollback manifest, and emergency contact for consent or credential changes. Changes should always reference a ticket, application owner, tested rollback path, and affected environment.
Common mistakes
- Confusing the application object ID, client ID, and service principal object ID during scripts or access reviews.
- Adding production redirect URIs manually in the portal without recording the change in IaC or release notes.
- Leaving expired secrets, abandoned owners, or broad application permissions because nobody owns the registration lifecycle.
- Using one app registration for unrelated workloads and creating a shared blast radius for credential rotation.