Hallelujah! Azure AD delegated application management roles are in public preview!

First published on CloudBlogs on Jun, 13 2018
Howdy folks, Today is a big day. I'm bouncing up and down at my PC as I type this because I'm just so happy to announce the public preview of our new delegated app management roles. If you have granted people the Global Administrator role for things like configuring enterprise applications, you can now move them to this lesser privileged role. Doing so will help improve your security posture and reduce the potential for unfortunate mistakes. Additionally, we're adding support for per-application ownership, which allows you to grant full management permissions on a per-application basis. And lastly, we're introducing a role that allows you to selectively grant people the ability to create application registrations. Read on for more details about each of these new permissions options!

Application administrator roles as an alternative to global administrator

Use the following roles to grant people access to manage all your directory's applications without granting all other unrelated and powerful permissions included in the global administrator role.
  • Application Administrator : This role provides the ability to manage all applications in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access.
  • Cloud Application Administrator : This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access).
You can assign these new roles in the Azure AD portal , on the Directory roles tab of the user profile blade, or in Azure AD Privileged Identity Management .

Read more about the application administrator roles, including more specifics on permissions .

Granting ownership access to manage individual enterprise applications

We now support ownership for enterprise applications so you can do even finer grained delegation if you want. This complements the existing support for assigning application registration owners. Ownership is assigned on a per-enterprise application basis in the enterprise apps blade. The benefit is owners can manage only the enterprise applications they own. For example, you can assign an owner for the Salesforce application, and that owner can manage access to and configuration for Salesforce, and no other applications. An enterprise application can have many owners, and a user can be the owner for many enterprise applications.
  • Enterprise Application Owner : This role grants the ability to manage 'owned' enterprise applications, including SSO settings, user and group assignments, and adding additional owners. It does not grant the ability to manage Application Proxy settings or conditional access.
  • Application Registration Owner : This role was previously available and grants the ability to manage 'owned' application registrations, including the application manifest and adding additional owners.
You can assign an enterprise application owner in the Azure AD portal , on the Owners tab of the enterprise applications blade.

You can learn more about enterprise application ownership here .

Selectively allowing people to create application registrations

By default, all users can create application registrations. You can disable this by setting "Users can register applications" to No. Starting today, using the new Application Developer role, you can selectively grant back the ability to create application registrations to people as needed.
  • Application Developer : This role grants the ability to create application registrations when the 'Users can register applications' switch is set to No. Application Developers can also consent for themselves when the 'users can consent to applications accessing company data on their behalf' switch is set to No. When an Application Developer creates a new application registration, they are automatically added as the first owner.
You can assign the Application Developer role in the Azure AD portal , on the Directory roles tab of the user profile blade, or in Azure AD Privileged Identity Management . As always, we'd love to hear your feedback, thoughts, and suggestions! Feel free to share with us on the Azure AD administrative roles forum , or leave comments below. We look forward to hearing from you. Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division
Occasional Visitor

For enterprise applications, during sign on the application roles a user belongs to can be accessed during authentication to Azure AD (via Claims).  Is there a way to request that a claim be returned for owners as well?

Regular Visitor

What is the purpose of Application Administrator Role, as it is affected by "Users can consent apps accessing company data on their behalf" option? If this option is set to "No", then Application Administrator cannot consent to any app any permission. With that respect, the Application Administrator is less powerful than Application Developer, and is equal to a regular user.

If I have to set "Users can consent apps accessing company data on their behalf" to "Yes", then why would I need Application Administrator role at all?

The statement in the description: "This role also grants the ability to consent to delegated permissions, and application permissions excluding Microsoft Graph and Azure AD Graph." is totally wrong and misleading, because every single user in my directory has that power when "Users can consent apps accessing company data on their behalf" is set to "Yes".

Senior Member

Is it an oversight that Application Owners cannot configure any of the Self Service blade settings of applications they own?
Or is there a good reason that they don't have that level of ownership?


Hi folks,

Thank you for the feedback.

@Adam Drews, there is not a way to get the ownership link via a token claim. You'll need to call Graph API for that.

@astaykov, this looks like a bug. App admins should still be able to consent when self-service consent is disabled. Thanks for reporting it. We're investigating.

@Thomas Wismer, application owners are not able to configure self-service settings. The settings are controlled by an organization-level service. App admins and cloud app admins are able to do so, however. I'll make sure this gets documented properly.



Vince Smith