I understand that App Registration represents an app that might have UI for users to login. I understand that a Service Principal is for applications like scheduled batch processing applications.

But from the technical perspective, in Azure Portal App Registration list, I can see both of them in the list and look the same.

Is there anything that an SP can do that an App Registration cannot or vice versa?

The App registration is the template used to create the SP. The SP is a security principal (like a User) which can be authenticated and authorized. Follow juunas link, specially Relationship between application objects and service principals.

It is very confusing! And unfortunately the link juunas pointed to is not only confusing, it contains bad information! To further demonstrate how confusing it is, answers you have received here are also not exactly correct! It's a real mess, and Microsoft is not doing a great job bringing clarity to the subject.

AlfredoRevilla got really close. Unfortunately, he pointed to the same bad documentation as well, which does not add much clarity to the subject.

To start, an Enterprise Application is not a service principal. This can be easily demonstrated by creating a SP using CLI (az ad sp create). After creating a Service Principal this way, you will see the corresponding App Registration...but no "Enterprise Application" will appear. Again, to make things confusing, Microsoft decided to tack-on the ability to view Service Principals not associated with an application object in the Enterprise Apps blade. This is done by using the drop-down to display the misnomered "Application Types" (not to digress too much here, but "Application Type == Managed Identity" is a clear example of how poorly this drop-down is named). More on this later.

So, to your question. Yes! There is something App Registrations can do that SP's can't do, and vice versa. They are actually different object types, just object types that look and seem to be used the same (now that isn't confusing at all, is it??? Way to go Microsoft.)

Unfortunately, I'm going to end up giving an answer that also is not quite satisfying from a technical perspective. I do this only in attempt to make some sort of sensical answer to a very confusing situation...and to avoid digressing into things like multitenancy applications and redirect URLs.

A Service Principal is the identity object in Azure Active Directory that allows roles to be assigned to various objects (resources). Thus the SP can be assigned as a Storage Blob Data Reader, or as a Key Vault Secrets User. Notice how I intentionally avoided using a web API as an example there? I did that on purpose, because Microsoft only wants to talk about this subject in context of API's and applications...bringing little clarity to the subject for non-API use cases. A key concept here is that a Service Principal will be created in your AAD whenever you create an App Registration or register an existing Application object (say from the marketplace or another tenant).

Creating an App Registration is going to essentially define the application itself. It is the view into the Application object. The Registration instantiates the application, defines who can access it (single tenant/multi-tenant), and defines various elements needed for token exchange, branding elements, etc.

But what about that "Enterprise Application" thing? What is it, and why is it tightly tied to the subject of Service Principals? You will find information that mistakenly implies an Enterprise Application is exactly the same as a Service Principal / is a Service Principal. But as pointed out above, a little experimentation in Azure quickly reveals this is not quite the case. Fortunately, it is easy to sort this part out by recognizing there is no such thing as an "Enterprise Application" Azure! Seriously, they do not exist. Microsoft created a blade in the Azure Portal that they named "Enterprise Applications" -- very poor name choice. What this blade does is provide a view to the Service Principal objects in Azure (be it a Service Principal for an Application object, or a Managed Identity Service Principal). That's it! So when you see that "Enterprise Applications" blade, just think "Service Principal identities" and don't get fooled into thinking there is another piece of this puzzle to figure out.

The App registration is the template used to create the SP. The SP is a security principal (like a User) which can be authenticated and authorized. Follow juunas link, specially Relationship between application objects and service principals.

The App Registrations view shows Azure AD Applications, which are identified by its Application ID, while Enterprise Applications view displays Service Principals. You can navigate from the Application to its associated Service Principal using the link labeled with Managed application in local directory in the Application Overview.

Application and Service Principal are associated by the Application ID. Often they have the same name, but they differ in its Object ID.

Please check the mentioned documentation for the purpose of Applications and Service Principals.

I hope the following image is helpful to understand the relationship between App Registrations, Enterprise Applications, Security Principals, Service Principals and Managed Identities:

An App Registration represents an OAuth2 resource server. Enterprise Application is just another name for Security Principals. Security principals like users or service principals represent OAuth2 clients. They can obtain tokens in scope of specific App Registration from their Entra ID Directory, which acts as the OAuth2 issuer for OAuth2 token issuance. See Entra ID Docs

To access resources that are secured by a Microsoft Entra tenant, the entity that requires access must be represented by a security principal.

For each Security Principal there can exist either one App Registration or one Managed Identity in any Entra ID Tenant. The same App Registration might be represented in multiple Entra ID Tenants by a Security Principal (in case of multi-tenant apps).

To put it very short - "Application registration" abstraction is a global, not tenant-specific, object/identity with particular properties. It has unique ApplicationID (ClientID) GUID.

"Service principal" is an instantiated version of that application in a specific tenant (or tenants). It's linked to that global application with ApplicationID. You assign roles to it enabling access to your resources.

"Enterprise application" is a wrapper, management interface, for that Service Principal, that provides some extra functionality (assigning of users and groups, conditional access etc.).

Best way I can explain it...

An Enterprise Application is the local representation/registration in your Azure directory of a global app. Registering an Enterprise application does not also create an app registration. To assign roles to the enterprise app you would select it under the "service principal" category. This service principal can only be used in your tenant. 3rd party apps can be given access to your tenant this way.

An app registration is a globally unique instance linked to a local application in your local tenant. When created it creates the app reg (application object) and the Service Principal (Enterprise App).Again if you assign roles to a resource for the app reg you would select it under the "service Principal" category. To use an app reg in multiple tenants each tenant needs an Enterprise App (Service Principal) in their home directory. This way you can have your app access other directories potentially.

To go further a Managed Identity is tied to a resource in your local directory and allows you to give access in your tenant only from resource to resource. For example and app service to a key vault.