Domain 3 of 4

Workload Identities and Apps

Domain · 20–25% of the SC-300 exam

One app is two objects: a blueprint you register once, and an instance that lives in each tenant

Picture a SaaS app or a script that needs to call Microsoft Graph. In Microsoft Entra ID (formerly Azure AD) that single piece of software is represented by two different objects, and almost every question in this domain turns on keeping them straight. The app registration (the application object) is the global blueprint: registered once in the app's home tenant, it owns the application (client) ID, the redirect URIs, the credentials, the API permissions the app requests, and any app roles it defines. From that one blueprint Entra stamps a service principal in every tenant where the app is actually used, and that local instance is what you see as the enterprise application: where you wire up single sign-on (SSO), assign users and groups, gate access, and apply Conditional Access. The blueprint defines what the app is everywhere; the instance defines what the app may do inside one tenant. The classic trap is reaching for the wrong object: you configure how the app authenticates (secrets, certificates, exposed scopes) on the registration, but you configure how your tenant uses the app (assignment, SSO, consent, provisioning) on the enterprise application. A gallery SaaS app you add has only a service principal in your tenant, because its registration lives with the vendor.

The domain unfolds in four steps, from defining an app to governing the apps already in your tenant

Walk the subtopics in order and the domain reads as one storyline. App Registrations comes first: it is where you define the application object, choose supported account types, and attach the credential the app authenticates with, preferring workload identity federation, then a certificate, and never a client secret in production. Enterprise Applications is the instance side of that same app: you turn on the right SSO mode (favour SAML or OpenID Connect federation), publish on-premises web apps through Microsoft Entra Application Proxy, set whether assignment is required, assign users and app roles, and decide what user and admin consent your tenant allows. Workload Identities zooms in on the non-human credential that actually runs a workload: a managed identity for code on an Azure resource (credential-free, because Azure issues and rotates the certificate), or a service principal from an app registration for a workload outside Azure. Defender for Cloud Apps closes the loop as the governance layer: a cloud access security broker (CASB) that finds shadow IT, controls live SaaS sessions, and reviews the third-party OAuth apps your users have already consented to.

When two answers both work, pick the identity that holds no secret you have to protect

Across the whole domain the exam rewards the choice that removes a stored credential. For a workload, that means a managed identity whenever the code runs on an Azure resource that supports one, because Azure manages and rotates the certificate and nothing can leak; only when the workload runs outside Azure do you fall back to a service principal from an app registration, and even then workload identity federation beats a stored secret. On the registration itself the same instinct orders the credential types: federated credential first, certificate next, client secret only for local development. The mirror-image instinct governs consent and SSO: prefer federation (SAML or OpenID Connect) over password-based SSO, and restrict user consent so apps cannot quietly collect broad permissions, routing risky requests through the admin consent workflow and reviewing standing OAuth grants in Defender for Cloud Apps. Reserve a user account for a human and a group managed service account (gMSA) for on-premises Windows services, never for an Azure resource calling another Azure service.

The four parts of an app's lifecycle, and which subtopic owns each

Part of the app lifecycleWhat it isWhere you configure itDrill into
Registration (blueprint)The one global application object: client ID, credentials, requested API permissions, app-role definitionsApp registrations page (home tenant)App Registrations
Enterprise application (instance)The service principal in your tenant: SSO, user/app-role assignment, consent, Conditional Access, Application ProxyEnterprise applications page (per tenant)Enterprise Applications
Workload identity (the running credential)The non-human identity a workload uses: a managed identity on an Azure resource, or a service principal for a workload elsewhereManaged identity on the resource, or app registration credentialsWorkload Identities
Governance (CASB over the apps)Cloud Access Security Broker: discover shadow IT, control live sessions, review and ban risky OAuth grantsMicrosoft Defender portal, Cloud AppsDefender for Cloud Apps

Subtopics in this domain