Tag: Enterprise Apps

Microsoft Certification, Cybersecurity, AB-900, security

Understand App registrations and Enterprise apps (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand App registrations and Enterprise apps

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations rely on applications to access Microsoft 365 resources, integrate with cloud services, and automate business processes. Microsoft Entra ID (formerly Azure Active Directory) provides identity and access management capabilities not only for users but also for applications.

Two important concepts administrators must understand are:

  • App registrations
  • Enterprise applications

Although these terms are closely related, they represent different objects within Microsoft Entra ID. Understanding their purposes and differences is important for the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam.

Why Applications Need Identities

Just as users require identities to sign in and access resources, applications also need identities.

Applications may need to:

  • Access Microsoft Graph APIs.
  • Read SharePoint data.
  • Send email through Exchange Online.
  • Authenticate users.
  • Integrate with Microsoft 365 services.
  • Support Microsoft 365 Copilot and agents.

Microsoft Entra provides these capabilities through app registrations and enterprise applications.

What Is an App Registration?

An App Registration defines an application’s identity within Microsoft Entra ID.

When developers register an application, Entra creates:

  • An Application (client) ID
  • A directory object representing the application
  • Authentication settings
  • Redirect URIs
  • API permissions
  • Secrets or certificates (optional)

Think of an app registration as the blueprint or template for an application.

Common Uses

  • Custom business applications
  • Web applications
  • Mobile applications
  • APIs
  • Microsoft Graph integrations
  • Copilot extensions and agents

Key Components of an App Registration

Application (Client) ID

A globally unique identifier that identifies the application.

Example:

Application ID: 7a12b8c3-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Applications use this ID during authentication.

Directory (Tenant) ID

Identifies the Microsoft Entra tenant where the application resides.

Redirect URI

Specifies where authentication responses are sent after users sign in.

Examples:

Secrets and Certificates

Applications may authenticate themselves using:

  • Client secrets
  • Certificates

These credentials should be protected because they function similarly to passwords.

API Permissions

Applications often require access to Microsoft services.

Examples:

  • Read user profiles
  • Access calendars
  • Read SharePoint files
  • Send email

Permissions can be granted by users or administrators depending on the permission type.

Types of API Permissions

Delegated Permissions

The application acts on behalf of a signed-in user.

Example:

A Teams app reads the user’s calendar using that user’s permissions.

Characteristics:

  • Requires a signed-in user.
  • Limited by the user’s permissions.

Application Permissions

The application runs independently without a user.

Example:

A background process scans SharePoint sites across the organization.

Characteristics:

  • No user sign-in required.
  • Usually requires administrator consent.

What Is an Enterprise Application?

An Enterprise Application is the service principal created from an app registration.

Think of the enterprise application as the instance of the application inside a tenant.

Enterprise applications manage:

  • User assignments
  • Sign-in permissions
  • Single sign-on settings
  • Conditional Access policies
  • Application access controls
  • Monitoring and sign-in logs

Simple Comparison

ObjectPurpose
App RegistrationDefines the application
Enterprise ApplicationRepresents the application inside the tenant

Relationship Between App Registrations and Enterprise Applications

When an application is registered:

  1. An app registration is created.
  2. A corresponding enterprise application (service principal) is created.
  3. Users and permissions are managed through the enterprise application.

One application registration can have multiple enterprise applications across different tenants.

Service Principals

A service principal is the identity used by an application within a specific tenant.

The service principal:

  • Authenticates the application.
  • Receives permissions.
  • Appears as an enterprise application.

For exam purposes:

Enterprise Application = Service Principal

Enterprise Applications and Single Sign-On (SSO)

Enterprise applications support Single Sign-On.

Users can:

  • Sign in once.
  • Access multiple applications.
  • Use Microsoft Entra credentials.

Benefits include:

  • Improved user experience.
  • Reduced password fatigue.
  • Centralized identity management.

Enterprise Applications from External Vendors

Not all enterprise applications originate from your organization.

Examples include:

  • Salesforce
  • ServiceNow
  • Workday
  • Zoom
  • Adobe

These SaaS applications appear as enterprise applications inside Microsoft Entra and can use SSO.

User Assignment

Administrators can control which users may access an enterprise application.

Options include:

Everyone

All users can access the application.

Selected Users or Groups

Only assigned users receive access.

This supports least privilege and Zero Trust principles.

Conditional Access and Enterprise Applications

Conditional Access policies can target applications.

Examples:

  • Require MFA for Salesforce.
  • Block access from unmanaged devices.
  • Restrict access by location.
  • Allow only compliant devices.

This helps secure application access.

Consent and Permissions

Applications request permissions when first used.

Two forms of consent exist:

User Consent

Users approve low-risk delegated permissions.

Example:

Allowing an app to read basic profile information.

Admin Consent

Administrators approve permissions that affect the entire organization.

Example:

Granting an app permission to read all mailboxes.

Admin consent helps protect sensitive organizational data.

Monitoring Enterprise Applications

Administrators can review:

  • Sign-in logs
  • Failed sign-ins
  • User assignments
  • Permission grants
  • Conditional Access results

These tools help troubleshoot and improve security.

Common Administrative Tasks

Administrators frequently:

  • Add enterprise applications.
  • Configure SSO.
  • Assign users and groups.
  • Review permissions.
  • Grant admin consent.
  • Remove unused applications.
  • Investigate sign-in logs.
  • Apply Conditional Access policies.

Security Best Practices

Use Least Privilege

Grant only required permissions.

Review Permissions Regularly

Remove unnecessary permissions.

Require MFA

Protect access to sensitive applications.

Remove Unused Applications

Reduce attack surface.

Use Group Assignments

Simplify management.

Monitor Sign-In Activity

Identify unusual behavior.

App Registrations vs. Enterprise Applications

FeatureApp RegistrationEnterprise Application
Defines application identityYesNo
Contains client IDYesNo
Stores redirect URIsYesNo
Represents app in a tenantNoYes
Supports user assignmentNoYes
Supports SSO configurationNoYes
Receives Conditional Access policiesNoYes
Also known as service principalNoYes

Importance for Microsoft 365 Copilot and Agents

Copilot extensions, plugins, and custom agents often rely on:

  • App registrations
  • Microsoft Graph permissions
  • Enterprise applications
  • User consent
  • Authentication and authorization

Understanding these concepts helps administrators securely deploy AI solutions within Microsoft 365.

Key Exam Points

Remember these AB-900 concepts:

  • App registrations define an application’s identity.
  • Enterprise applications represent applications within a tenant.
  • Enterprise applications are service principals.
  • Delegated permissions act on behalf of users.
  • Application permissions operate without users.
  • Enterprise applications support SSO.
  • Conditional Access policies can target applications.
  • Admin consent is required for high-privilege permissions.
  • User assignments control who can access applications.

Practice Exam Questions

Question 1

Which Microsoft Entra object defines an application’s identity and contains its client ID?

A. App registration
B. Enterprise application
C. Conditional Access policy
D. Security group

Correct Answer: A

Explanation: App registrations define the application and contain identifiers and authentication settings.

Question 2

What is another name for an enterprise application in Microsoft Entra?

A. Managed identity
B. Service principal
C. Tenant object
D. Resource group

Correct Answer: B

Explanation: Enterprise applications are service principals that represent applications inside a tenant.

Question 3

Which permission type allows an application to act on behalf of a signed-in user?

A. Resource permission
B. Admin permission
C. Delegated permission
D. Conditional permission

Correct Answer: C

Explanation: Delegated permissions use the permissions of the signed-in user.

Question 4

Which object is commonly used to configure Single Sign-On for a SaaS application?

A. Security defaults
B. App registration only
C. Mailbox settings
D. Enterprise application

Correct Answer: D

Explanation: SSO settings are configured through enterprise applications.

Question 5

What is the primary purpose of an enterprise application?

A. Define redirect URIs
B. Store the client secret permanently
C. Represent an application inside a tenant and manage access
D. Replace Microsoft Entra users

Correct Answer: C

Explanation: Enterprise applications manage access and represent the app within the tenant.

Question 6

Which permission type usually requires administrator consent because it can affect organizational data?

A. Application permissions
B. Basic profile permissions
C. Redirect permissions
D. Device permissions

Correct Answer: A

Explanation: Application permissions often grant broad access and therefore typically require admin approval.

Question 7

An administrator wants only members of the Finance department to access an application. Which feature should be used?

A. Redirect URIs
B. Client certificates
C. User assignment within the enterprise application
D. Tenant synchronization

Correct Answer: C

Explanation: Enterprise applications allow administrators to assign specific users and groups.

Question 8

Which setting determines where authentication responses are sent after sign-in?

A. Directory ID
B. Redirect URI
C. Conditional Access policy
D. Service principal name

Correct Answer: B

Explanation: Redirect URIs specify where users are returned after successful authentication.

Question 9

A background application that runs without a signed-in user should typically use which permission type?

A. Delegated permissions
B. User permissions
C. Group permissions
D. Application permissions

Correct Answer: D

Explanation: Application permissions enable apps to run independently of users.

Question 10

Why should organizations periodically review enterprise applications and their permissions?

A. To increase mailbox size
B. To reduce unnecessary access and improve security
C. To change domain names automatically
D. To synchronize Teams channels

Correct Answer: B

Explanation: Reviewing applications helps maintain least privilege and reduce security risks.

Go to the AB-900 Exam Prep Hub main page