What was strange to me was that for the v1, the registration is on tenant level, while the v2 is registered on a (personal) account level. I suppose this is to support apps developed outside a particular tenant? How should this be managed exactly? The owner of the account used to register the app can leave the company, there is no overview of these apps on our tenant to manage these apps? Or am I missing something?
Can you just create a service account in Azure AD - as in an account that's called what it's for - and use that in the endpoint config? Then you don't need to worry if someone leaves, or if it's an on prem account synced across, that ADFS might be down and unable to support auth?