Azure registered app

https://adatum.no/azure/azure-active-directory/azure-application-registrations-enterprise-app-managed-identities

RBAC (role-based Access Control) in azure is done by adding role assignment. 

Microsoft has a very robust identity platform in Azure AD. And by creating an application registration you can use this platform to authorize and authenticate various and multiple clients (Mobile, web apps, etc).

When creating an application registration you establish a trust relationship between the Microsofts identity platform and your custom application, meaning you trust Microsoft, but Microsoft does not trust your application in the same way.

You can create single-tenant, multi-tenant, and Microsoft (liveid) based app registrations or a combination of them. But the application definition is only tied to its home directory.

Simplest terms, app registrations are identities for software applications. Rather than verifying a users identity and auth, you can tell an azure application to verify another applications identity. Good luck & have fun!

Look at setting down there, it tries to get a bearer token by login with a registered app sampleOIDC with scope of azure keyvalue. 

Now when you call keyvalue api, you can add application as a memeber like an AD to the access permssion instead of individual AD account. It is more robust.