![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 74%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
25,130 questions
Hello @metalheart , having 2 app registration is recommended since you could also say that you have 2 applications: a client and an API. The recommendation follows the separation of concerns principle and provides some benefits such as fine-grained security and ease of management. Combining both registrations into one may be a good idea during early development or testing but in the long run it can get messy and prone to security, management and maintenance issues. Let's say you split your dev teams in 2: 1 for your client app and 1 for your api app. You may also want to limit management for each app registration to their belonging team. This won't be possible using only 1 app reg since you cannot limit permissions per user or group per app reg feature: any user with write permissions will be able to update any app reg feature. You may want to implement Conditional Access: SPA authentication requests should be allowed only if coming from a 3 counties or IP ranges but authorization requests from a selected user pool (let's say SPA admins, moderators, etc.) should come from 1 country or IP range and should get prompted for MFA or require a compliant device. This might be doable using 1 app registration but the configuration and maintenance will become harder contradicting the KISS principle.
Keep in mind that an SPA is not as secure as an API (which is why an API can store secrets while the SPA does not) so it's a good idea to target an app registration only for the purpose of authentication but not of authorization. Let's say you want the API to call other APIS such as Microsoft Graph using the OBO flow: With 1 app registration there won't be any need for OBO since any SPA user may directly request an access token for any Microsoft Graph scope. With 2 app registrations there won't be any Microsoft Graph scopes exposed in the SPA app reg, only in the API app reg. SPA app reg will be used for authentication only while API app reg will be used for authorization. Additional authorization policies will be easier to enforce trough the API application code or Entra features such as Conditional Access. Also, and from the infrastructure and security side, having 2 app regs will allow to narrow down who can manage secrets for API-to-API communication, also narrowing down the impact caused by leaked credentials: 1 careless developer may generate and share a SPA app reg secret but it won't be of any use for API to API access.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 69%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)