The Azure AD application model is designed to support a large number of important functions: to hold protocol information used at authentication time, provide a mechanism for provisioning applications within one tenant and across multiple tenants, allow end users and administrators to grant or deny consent for apps to access resources on their behalf, and supply access control knobs to administrators and developers to fine-tune user and application access control.
That’s a tall order, but as you have seen throughout this chapter, the Azure AD application model supports all of those functions—though in so doing, it often needs to create complex castles of interlocking entities. Note that little of that complexity ever emerges all the way to the end user, and even for most development tasks, you don’t need to dive as deep as we did in this chapter. However, as a reward for the extra effort, you now have a holistic understanding of how applications in Azure AD are represented, provisioned, and granted or denied access to resources. You will find that this skill will bring your proficiency with Azure AD to a new level.