Whether you're using App Registration or Managed Identity, your app still needs an identity and that identity lives in Microsoft Entra ID.

In app-based authentication, what we typically need is a Service Principal in Entra ID: a security identity that represents an app.

When you use Managed Identity, Azure automatically creates and manages that Service Principal on your behalf.

This removes the need to manage:

Client secrets

Certificates

Identity lifecycle manually.

It's a clean solution, if you’re running in Azure.

How to setup one: Understanding Managed Identities

However, Managed Identity cannot be used when:

Your app is not hosted in Azure

You need to call third-party APIs that don’t support Entra ID tokens, or perform OAuth2/OpenID Connect flows

You require custom claims in tokens, or want to support user consent scenarios.

This is where app registration comes in.

I wrote about app registration, here's the link: Setup Azure App Registration

That’s all for today, see you in the next one.