When deploying Azure Stack in a connected POC environment, Azure Stack registers a set of applications in the AAD tenant.
You can see this from the Azure Active Directory blade in your Azure subscription. This is interesting because it shows some of the major entry points into Azure Stack need to be securely verified. So these entry (or END) points are registered in AAD proper and use the concept of Application authentication. Now if one needed to secure these END points by MFA, conditional access etc., then this is indeed possible.
The following are screen shots from a TP3 deployment (click to see picture in full size)
Over a period of time, OR as you deploy multiple times and register into the same AAD tenant you might end up with more than the desired number of application-entries(or Service Principals), and might want to consider cleaning them up. This can be deleted from the portal OR by using Powershell.