This has been a source of confusion for me and so i have this visual representation of App reg and Enterprise apps in Entra , hope this simplifies the concepts
as you can see you register an app reg for you application in Entra and it creates a corresponding enterprise application in your tenant for the same .
Generally you want the users assigned to groups which can then assigned to roles. The id token generated will have the value assigned to the roles and you can use the same to apply logic in your application code to assign permissions.
Service principal can be assigned directly to roles.