Skip to content

2023

  • in Entra ID
  • 18 min read

Entra App Registrations and Enterprise Applications: The Definitive Guide

For those that must manage application integrations in Entra ID, it’s an inevitable question: What is the difference between an App Registration and an Enterprise Application? Why are there two different management blades? Why do I see some applications in both places?

I’ll admit that this is not the first take at answering this question, and there are already some good answers out there. Microsoft breaks things down here, Apps & service principals in Azure AD – Microsoft Entra | Microsoft Learn, with a decent visual at the end.

Marilee Turscak also has an excellent breakdown here, The Differences Between App Registrations, Enterprise Applications, and Service Principals in Azure AD | Marilee Turscak.

And John Savill has fantastic video published covering this as well, Azure AD App Registrations, Enterprise Apps and Service Principals – YouTube.

As John points out in his video, the understanding of App Registrations and Enterprise Apps can further be enhanced by understanding OpenID Connect and OAuth 2.0 flows. This is especially important for identity professionals and ITPros who may come from a sysadmin background. Modern authentication flows and concepts may feel foreign to folks who built their career on identity platforms such as Active Directory.

For those that find it easiest to learn by doing, if you want to play around with App Registrations, Enterprise Apps and Service Principals, but don’t want to mess with your prod environment, sign up for an M365 Developer account, to have your own free tenant to work with here, Developer Program | Microsoft 365 Dev Center.

We’ll start with some definitions, and then try to walk through various scenarios that you may encounter. If you don’t see your question answered within the definitions, keep reading… we’ll try to hit on all the areas here.

  • in Entra ID
  • 3 min read

The Importance Of Identity In Microsoft Certifications

As I’ve taken Microsoft certification exams, or the exam renewals, I’ve noticed that Azure AD and identity topics are a theme throughout. Now, focusing on the security space, it may seem like somewhat of a given.

But it made me curious – how many Microsoft certification exams have an identity component to them?

While the Microsoft Certification browser indicates 15 current exams (with four expired) that have a Microsoft Entra product component, the list has some obvious exclusions, such as AZ-900 and MS-900. Granted, those are fundamental exams, but Azure AD and Entra still come up on them in some shape or form.

I decided to dig a bit deeper, and while I have not sat for the majority of exams outside the security space, the Microsoft official exam guides often give you a good breakdown of the skills and concepts within the exams. I found that 29 exams currently have an identity component to them, that would have an estimated weight of at least 5%.

  • in Entra ID
  • 3 min read

Don't Let DNS Be Your Azure AD Recovery Downfall

In September of 2022, Joey Verlinden (@jvldn1) published an excellent article on his experience with recovering access to an Azure AD tenant that he was completely locked out of. You can, and should, read the full article here, What happens if you lock-out your Azure Tenant? – Joey Verlinden.

In this, Joey details the process for recovering access to an Azure AD tenant, which includes a detailed verification process, which is rightfully put in place to ensure that someone isn’t capable of a tenant takeover through social engineer. As part of the process, the request is verified by means of either:

  • Calling the phone number associated with a Tenant
  • Emailing a Global Administrator
  • Requesting that the organization creates a DNS TXT record associated with one of the verified domains

Now, under normal “oops” scenarios, you likely could use a phone call or email to a Global Administrator. Of course, if a GA is mail-enabled, the email should be forwarded, as your Global Admins should not actually be receiving or checking email directly in that inbox (which is a different story).

Azure AD 101: Azure Subscription Relationship

Whether you are dipping your toe or diving headfirst into Azure, one of the points of confusion is the relationship between Azure Active Directory and Azure subscriptions. Azure subscriptions may be referred to as subscriptions, or sometimes even just Azure. An Azure Active Directory tenant, which is the cloud identity provider, is usually referred to as Azure AD or AAD, or sometimes just tenant.

While Microsoft has decent documentation on the relationship, I tend to find that drawing analogies along with additional visuals can help really drive the relationship home for folks. For the MS Docs article, see Add an existing Azure subscription to your tenant – Azure AD – Microsoft Entra | Microsoft Learn.

Cloud Identity Is Still The Future

In October 2022, the CTO of 37signals, David Heinemeier Hansson, published a piece on why hey.com was leaving the cloud. You can read the full article here, Why we’re leaving the cloud (hey.com); the gist of the post is that cloud is not cost-effective. More recently, InfoWorld published a piece by David Linthicum, 2023 could be the year of public cloud repatriation | InfoWorld, hitting on why it may be more cost-effective to move back to private data centers. You see the trend – cloud may not be providing the ROI that is expected, especially if your organization has just performed a bunch of lift-and-shift without application refactoring.

While the titles are attention grabbing, and the articles have valid points, they don’t really tell the full story. Folks in the industry may scan the headlines and believe that a mass cloud exodus is on the verge of happening, but we really need to look at what part of the cloud we are speaking to. We need to distinguish between IaaS, PaaS and SaaS, as well as related services and systems, such as IDaaS (identity as a service, aka Azure AD, Okta, and so on).