# Enterprise applications
This guide will lead you through a typical app authorisation procedure as a Global Administrator and provide an overview of how Enterprise Apps function with Azure AD, including prevalent security misconceptions. After that, we'll authorise a service account and establish a successful connection with UMA.
This explainer is for those who are struggling with the question of how to enable users to sign into UMA Vision using Office 365, while also ensuring that not everyone can authenticate with any application on the internet.
### Service principal and application objects
When you first authorise the UMA app, it creates a new Service Principal object in your Azure directory. This Service Principal represents your specific installation of the UMA app, which you can directly manage. The Application object of UMA is maintained by us and enables us to update and maintain the application for all our clients in one place.
To better understand, consider the Service Principal as a specific version of the software that is installed, and the Application as the latest version available. In the event that the Application is updated, such as adding or removing features or permissions, you can choose to reauthorise the latest version to update the Service Principal as required. However, this is an extremely rare occurrence and not essential for running UMA.
### Adding new applications in Office 365
Microsoft [outlines this requirement for Global Administrators and applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance) within Azure AD.
Only global administrators can:
Add apps from the Azure AD app gallery (pre-integrated 3rd Party Apps)Publish an app using the Azure AD Application Proxy
When you first try to sign into the UMA application, [you’ll need to be a Global administrator](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#how-are-apps-added-to-my-azure-ad-instance) unless your tenant allows all users to register new applications however we don't recommend this.
During sign-up/in users are asked to give permission to the app to access their profile and other permissions. The first person to give consent causes a service principal representing the app to be added to the directory.
Once you’ve added the application to your directory, the Global Administrator role is no longer necessary to manage the settings.
Enabling “Users can consent to apps accessing company data on their behalf” will allow regular users assigned to the app to sign into existing service principals. It does not grant users the right to create new service principals (i.e. other applications you haven’t approved). Adding new applications is managed by the “Users can add gallery apps to their Access Panel” option instead, which can remain disabled as seen below
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://support.meetuma.ai/uma-knowledgebase/integrations/calendar/microsoft-365/enterprise-applications.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
