Forum Discussion

DaveTheTeamsGuy

Iron Contributor

Nov 29, 2022

app registrations - any way to prevent owners from changing / adding API permissions

We would like to allow owners to update their client secrets / certs but prevent them from modifying or adding API permissions. Is there a way to modify the default app registration owner role to do...

Access Management

MVP

Nov 30, 2022

You can create a custom role with just permissions to change the credentials: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps

microsoft.directory/applications/credentials/update should be sufficient.

DaveTheTeamsGuy
Iron Contributor
Nov 30, 2022
Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.
- VasilMichev
  MVP
  Nov 30, 2022
  No, it's not specific to enterprise apps, and you can scope it down to individual app/SP if needed. Follow the references in the above article for more details.
  You have to manually add each app as needed though, there is no "dynamic" scope of "all apps I own" that you can use, if that's what you mean.
  - DaveTheTeamsGuy
    Iron Contributor
    Dec 01, 2022
    Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:
    
    $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
    
    ...should instead be
    
    $roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

Resources