The [[Application Object]] is the _global_ representation of your application for use across all tenants, and the [[Service Principal]] is the _local_ representation for use in a specific tenant. The application object serves as the template from which common and default properties are _derived_ for use in creating corresponding service principal objects.  An application object has: - A one-to-one relationship with the software application, and - A one-to-many relationship with its corresponding service principal objects A service principal must be created in each [[Tenant]] where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. A multitenant application also has a service principal created in each tenant where a user from that tenant has consented to its use. ## Resources [Design service principals for applications - Training | Microsoft Learn](https://learn.microsoft.com/en-us/training/modules/design-authentication-authorization-solutions/9-two-design-service-principals)