Forum Discussion
Entra App Registration Delegation
Hi,
We have a developer community who require the ability to perform app registration in an automated fashion but the IT group say there are objects in Entra ID which they don't want to be accessible. How can we achieve this. I think the options are:
1. Move the sensitive objects out of Entra ID - but then where would they live?
2. Segregate the sensitive data from the non sensitive data and give the devs access to only the non-sensitive part of Entra ID - I think this is what Admin Units are probably intended for but they are only in preview so we cannot use them fully yet. Without these how do other people manage the above?
Any thoughts / suggestions / insights gratefully recieved
Cheers
P
2 Replies
- New tenant is how I would do it. You can effectively manage access and reduce the risk of unauthorized exposure while still providing the necessary functionality and flexibility for your devs.
- There is the custom/limited App-centric roles that you can leverage: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/quickstart-app-registration-limits
Or consider spinning up a different tenant for those apps.
