Thanks for reaching out.
I understand that you are going through these concepts and getting lots of questions around it which is totally expected with this confusing concept.
- Any Enterprise Application or Application Registration that has AppOwnerOrganizationId attribute no value (empty) meaning that it will be read-only in my organization? not sure why this is listed in the first place in the portal GUI. Could you please share the scenario to understand this ask better. When you are able to see AppOwnerOrganizationId empty?
- When manually creating Application Registration, the Enterprise Application/Service Principal will also be created. The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant. So, whenever you register the application to integrate with Azure, a service principal got automatically created. For multi-tenant application, a service principal is created in each tenant where the application is used to establish an identity for sign-in and/or access to resources by the tenant. Do not confuse with the Enterprise Applications blade with App Registrations, the Enterprise Application blade contains the list of your Service Principals and Enterprise Application is not a service principal.
- When manually creating Enterprise Application/Service Principal there will be no Application Registration created. Enterprise App generally refers to applications published by other companies in the Microsoft Entra gallery that can be used within your organization. For example, if you want to integrate an application such as Salesforce or Microsoft Teams and manage SSO within your organization, you can integrate it from the Enterprise Applications dropdown in the applications blade. That the reason, it won't require application registration, but its service principal will be present in same blade along with your own applications as Service Principals, which are instantiations of your applications in the tenant.
- Therefore, the task of assigning the Owner to Application Registration is enough, no need to add the same user as the owner into Enterprise Application / Service Principal. The ownership of an enterprise application is assigned by default only when a user with no administrator roles (Global Administrator, Application Administrator etc.) creates a new application registration. In all other cases, when ownership isn't assigned by default to an enterprise application, then you need to assign owners to enterprise application separately. I am checking on this further.
- When creating Application Registration via PowerShell / az Shell command line, then it will not automatically create Enterprise Application / Service Principal. Yes your understanding is right. Through powerShell/Graph API you need to create service principal separately
az ad sp create --id <registration_app_id>
is executed immediately followingaz ad app create
Hope this will help. I am working to get more clarity of point1 and point4.
Thanks,
Shweta