az ad sp show --id <app-id-or-object-id>Enterprise application
Enterprise application properties in Microsoft Entra ID configure the organization-specific service principal settings for an application, including user assignment, single sign-on, provisioning, and ownership.
Source: Microsoft Learn - Properties of an enterprise application Reviewed 2026-05-14
- Exam trap
- Assuming a matching display name proves the correct resource when tenants, subscriptions, regions, and service instances can contain similar names.
- Production check
- Can you identify the exact resource ID, owner, tenant, subscription, environment, and downstream dependency without guessing?
Article details and learning context
- Aliases
- Entra enterprise application, service principal application, enterprise app
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-14
- Review level
- template-spec-upgraded
- Article depth
- field-manual-template-specs
Understand the concept
In plain English
Enterprise application is the tenant-local service principal representation of an application in Microsoft Entra ID used to manage assignment, sign-in, consent, and provisioning behavior. In plain English, it is the Azure concept teams use when they need to govern how an application is available inside a tenant, who can access it, how users sign in, and how provisioning is managed. It matters because the term connects the feature people discuss in meetings to the resource, setting, identity, or data object operators must actually check.
Why it matters
Enterprise application matters because a shallow definition leads teams to troubleshoot the wrong layer, approve weak changes, or miss dependencies that explain the real incident. It affects SaaS onboarding, single sign-on governance, user assignment, application ownership, audit evidence, and identity lifecycle control, which means architecture, security, operations, finance, and application teams all need the same vocabulary. When the term is documented well, operators know the exact scope, owner, identity, metric, log, and rollback evidence to inspect before they scale, rotate, reindex, deploy, grant access, or escalate. That shared evidence reduces incident time, improves audits, and makes production change safer. This keeps architecture, security, support, and finance teams working from the same production evidence.
Technical context
Technically, Enterprise application appears in Microsoft Entra Enterprise applications, service principal records, sign-in logs, app role assignments, provisioning settings, SSO configuration, and consent records. Configuration usually centers on service principal object ID, app ID, assignment requirement, owners, SSO mode, app roles, user and group assignments, provisioning, and permissions. It depends on Microsoft Entra ID, app registrations, service principals, Conditional Access, groups, app roles, provisioning connectors, and sign-in logs, so scope matters before any command, portal change, or deployment update.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Portal blades and inventory exports where teams find Enterprise application with resource scope, state, owner tags, linked services, monitoring evidence, and recent change context.
- In ARM, Bicep, Terraform, REST, or CLI output where teams review names, IDs, dependencies, permissions, routes, alerts, policies, deployment settings, and rollback evidence before approval.
- In incident tickets, release reviews, and operational runbooks when engineers need proof that Enterprise application matches the expected production design and ownership model safely during support.
- In automation pipelines where teams read, compare, export, or change Enterprise application settings with peer review, environment targeting, recorded command output, and production release approval.
- In governance, cost, security, and reliability reviews where owners connect Enterprise application behavior to access, retention, monitoring, capacity, support responsibilities, shared platform teams, and decisions.
Common situations
- Configure user assignment and SSO for a SaaS application.
- Review owners, sign-in activity, and app role assignments for stale enterprise apps.
- Troubleshoot application access failures caused by consent, assignment, or Conditional Access.
- Audit consent, owners, certificates, app roles, and sign-in activity before leaving a SaaS or line-of-business app enabled.
- Disable or clean up stale enterprise applications that still have access paths into tenant resources.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Enterprise application in action for financial services Scenario, objectives, solution, measured impact, and takeaway.
CedarStone Bank, a financial services organization, needed to clean up hundreds of enterprise applications before an access governance audit.
- Identify stale enterprise applications
- Validate application owners
- Reduce unnecessary user assignments
- Improve audit evidence
The identity team exported enterprise application service principals, sign-in activity, owners, and assignment settings. Applications with no recent sign-ins were routed to business owners for validation. High-risk apps required owner confirmation, Conditional Access review, and app role assignment cleanup. The team compared service principals with app registrations to distinguish internal applications from vendor SaaS. Findings were recorded in the governance backlog with removal or remediation dates. The team validated Enterprise application in a lower environment, captured before-and-after evidence, and promoted the change through controlled release gates. Runbooks were updated so support engineers could find the correct scope, identity, dependency, telemetry signal, and approval record without relying on the original implementer. The final design connected governance with daily engineering work, making the change understandable to security, operations, finance, and application stakeholders.
- Seventy-two stale applications were retired
- Owner coverage rose to 96 percent
- Unneeded app assignments dropped by 31 percent
- Audit evidence linked each decision to sign-in and owner data
Enterprise applications need lifecycle ownership because every stale app can become an identity risk.
Scenario 02 Enterprise application in action for education technology Scenario, objectives, solution, measured impact, and takeaway.
BrightPath Learning, a education technology organization, wanted to onboard a new learning platform with SSO and group-based access for district staff.
- Enable secure SSO for staff
- Automate access through groups
- Avoid manual user assignment drift
- Give support clear troubleshooting evidence
Administrators configured the vendor application as an enterprise application in Microsoft Entra ID, enabled SAML SSO, required user assignment, and assigned access through district groups. Owners were added for the platform and identity teams. Sign-in logs, group membership, and provisioning status were added to the support runbook. A test group validated claims and role mappings before district-wide rollout. The team validated Enterprise application in a lower environment, captured before-and-after evidence, and promoted the change through controlled release gates. Runbooks were updated so support engineers could find the correct scope, identity, dependency, telemetry signal, and approval record without relying on the original implementer. The final design connected governance with daily engineering work, making the change understandable to security, operations, finance, and application stakeholders.
- SSO launched for twelve districts without password sharing
- Manual assignment tickets dropped significantly
- Support resolved first-week access issues using sign-in evidence
- Role mapping errors were fixed before broad release
Enterprise applications turn SaaS onboarding into a governed identity operation instead of an informal access request.
Scenario 03 Enterprise application in action for manufacturing Scenario, objectives, solution, measured impact, and takeaway.
ApexWorks Manufacturing, a manufacturing organization, needed to investigate why a production automation app could access Azure resources after its project ended.
- Find the application identity
- Review active permissions
- Remove unused access safely
- Prevent recurrence through owner reviews
Engineers traced the automation to an enterprise application service principal with Azure RBAC assignments on two resource groups. The app registration owner had left the project, so identity administrators reassigned ownership, confirmed no current workload dependency, and removed the stale role assignments. Sign-in logs and Activity Logs proved the app had not been used recently. A quarterly owner review was added for service principals with resource access. The team validated Enterprise application in a lower environment, captured before-and-after evidence, and promoted the change through controlled release gates. Runbooks were updated so support engineers could find the correct scope, identity, dependency, telemetry signal, and approval record without relying on the original implementer. The final design connected governance with daily engineering work, making the change understandable to security, operations, finance, and application stakeholders.
- Stale Contributor access was removed from production scopes
- No active workload was disrupted
- Owner review coverage improved for automation identities
- The incident became a reusable cleanup playbook
Enterprise application review connects application identity governance with real Azure permissions.
Azure CLI
CLI checks for Enterprise application turn portal assumptions into repeatable evidence. Start with read-only commands that show scope, identity, deployment, endpoint, storage, policy, status, metrics, or access relationships. Attach sanitized output to incidents and change tickets. Run mutating, security-impacting, or cost-impacting commands only after approval because the wrong tenant, subscription, resource, deployment, or policy can affect customers and downstream teams.
Useful for
- Confirm the live Azure scope and current configuration for Enterprise application before a production change.
- Collect troubleshooting evidence for incidents involving Enterprise application without relying on screenshots alone.
- Compare CLI or REST output with source-controlled intent, dashboards, graph connections, and owner runbooks.
Before you run a command
- Run az account show and confirm the tenant, subscription, resource group, and environment before collecting evidence or changing anything.
- Use read-only commands first, save sanitized JSON output, and compare live state with source control, tickets, and approved architecture notes.
- Confirm owner, data classification, private connectivity, identity, monitoring destination, cost center, and rollback path before production changes.
What the output tells you
- Whether the exact resource, deployment, identity, endpoint, cache, scope, domain, or access package exists in the expected Azure boundary.
- Which configuration values, linked dependencies, identity settings, networking controls, status fields, and timestamps explain current production behavior.
- Whether the next action is a safe read, a configuration fix, a rollout adjustment, an access review, a cost review, or escalation to service owners.
Mapped commands
Enterprise application operational checks
directaz ad sp list --display-name <application-display-name> --output tableaz ad app show --id <app-id>az role assignment list --assignee <service-principal-object-id> --all --output tableArchitecture context
Enterprise application belongs to Identity architecture where identity, monitoring, cost ownership, reliability, and support need shared evidence.
- Security
- Security for Enterprise application starts with least privilege and clear evidence about who can configure, view, operate, or misuse it. Review owner hygiene, admin consent, app role assignments, Conditional Access, assignment requirement, provisioning scope, stale service principals, and sign-in monitoring before production approval. A common mistake is assuming that a successful deployment, healthy metric, or working application proves the configuration is safe. Use managed identity where possible, protect secrets and keys, prefer private connectivity for sensitive paths, restrict logs that contain business data, and keep exceptions ticketed and time-bounded. For regulated workloads, connect the term to classification, retention, break-glass access, and incident-response procedures.
- Cost
- Cost for Enterprise application includes more than the visible Azure meter. Review unused SaaS assignments, license assignment through groups, provisioning support time, duplicate applications, audit preparation, and lifecycle automation effort because weak design often creates hidden spend through repeated processing, failed retries, over-provisioned capacity, unused assignments, support labor, audit cleanup, or extra storage. Tag ownership, environment, application, and cost center so charges can be explained. Compare actual use with purchased capacity, retention, token volume, request count, and operational value. Do not scale or rebuild blindly before checking configuration mistakes, retry loops, stale data, access errors, and monitoring evidence. This keeps architecture, security, support, and finance teams working from the same production evidence.
- Reliability
- Reliability for Enterprise application depends on known limits, tested dependencies, and recovery procedures that operators can run without guessing. Review SSO certificate lifecycle, provisioning job health, owner availability, consent continuity, group assignment accuracy, and outage communication paths before depending on it for a customer-facing workflow. The important question is how it behaves during retries, scale events, region issues, model changes, key rotation, index rebuilds, approval delays, or operator mistakes. Capture baseline metrics, expected states, and failure modes before change. Alert on symptoms that prove user impact, not just configuration drift, and keep rollback steps visible in the runbook. This keeps architecture, security, support, and finance teams working from the same production evidence.
- Performance
- Performance for Enterprise application depends on workload shape, platform limits, dependency health, and how evidence is interpreted. Review sign-in latency, provisioning cycle duration, group membership expansion, Graph API throttling, SSO redirect behavior, and application availability before blaming the service or adding capacity. Look for saturation, throttling, queueing, cold starts, slow dependencies, stale indexes, oversized payloads, weak filters, or inefficient application behavior. Measure before and after any change and keep baselines for normal, peak, and incident conditions. For shared services, identify noisy neighbors and per-resource limits. Performance tuning should not create new security gaps, reliability risk, or unexpected cost. This keeps architecture, security, support, and finance teams working from the same production evidence.
- Operations
- Operations for Enterprise application should be repeatable enough that a different engineer can collect the same evidence and reach the same conclusion. Review application onboarding, owner reviews, access request handling, SSO certificate renewal, provisioning monitoring, stale app cleanup, and incident runbooks during change management, incident response, onboarding, and access reviews. Start with read-only checks, confirm tenant and subscription context, and attach sanitized CLI, REST, log, or metric output to the ticket. Keep names, tags, owners, dashboards, runbooks, and graph connections current. After every change, verify expected behavior and record any exception so future operators know what breaks first. This keeps architecture, security, support, and finance teams working from the same production evidence.
Common mistakes
- Assuming a matching display name proves the correct resource when tenants, subscriptions, regions, and service instances can contain similar names.
- Running mutating commands before capturing read-only evidence, owner approval, monitoring baselines, rollback steps, and expected post-change signals.
- Treating a portal screenshot as complete proof when CLI output, REST responses, Activity Logs, metrics, and source-controlled definitions are more repeatable.