• App Registration

The purpose of registering an app with Azure AD is to authorize a client/app to access some resource that AAD controls access to (for which AAD is the authorization server). For example, the MS Graph Powershell module (client) needs to be granted access to the MS Graph API (resource). The resource directs the client to Azure AD (the authorization server) where the user (resource owner) must authenticate themselves and consent to delegate the requested permissions (scope) to the client.

Although the original use case for the OAuth2 flow was to support granting third-party apps access to resource, it is also used for first-party apps, as in the example with the MS Graph Powershell module access the MS Graph API.

• App registration and consent are two related, but distinct operations that are controlled by different settings
• When the setting to allow users to register apps is disabled one of the admin roles can be used to give a user the right to register apps—this includes Cloud application administrator, Application administrator and Application developer. Application developer is the most limited role.
• delegated vs. application permissions

• Delegated access, an app acting on behalf of a signed-in user. delegated permissions are also called scopes
• App-only access, an app acting with its own identity. This method of access is generally used by automation and daemons that run unattended and noninteractively.
• Application permissions allow an application in Azure Active Directory to act as its own entity, rather than on behalf of a specific user. Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.

• What is consent?
• consent experience, consent can be granted for just the current user or at the admin level for the entire tenant
• Either users can be allowed to consent to permissions granted to an app or the ability to consent can be reserved for admins only.
• When the admin consent workflow is enabled a user can submit a request to approve consent when the user cannot approve it. How to configure admin consent workflow
• admin consent vs. user consent
• Consent on behalf of your organization, administrative consent

A user can authorize an application to access some data at the protected resource, while acting as that user. The permissions that allow this type of access are called “delegated permissions.”

• The App Registration represents the application object and the Enterprise Application represents the security principle.

• https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent