Thanks for reaching out and apologies for delay in response.
I understand you are trying to understand how service principal defines whom to authenticate to access the application.
So when you are registering the application ,there is always service principal created in Enterprise application for the same application with different object id. As specified Service Principal can manage who can access that application in that tenant.
You need to have Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal role to assign access to the application.
In the Enterprise application, Service Principal can control who can access the application based on "Assignment required" box.
If you have the "Assignment required" box checked within your Enterprise application, then users must be assigned to the application before being able to access it.
If this option is set to no, then any users who navigate to the application URL directly will be granted access.
To restrict the access to particular users , Assignment required should be set to 'Yes" and select those users who can access the application.
Hope this will help.
Thanks,
Shweta
---------------------------------------
Please remember to "Accept Answer" if answer helped you.