Home

Azure AD SSO App Management Permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-70971%22%20slang%3D%22en-US%22%3EAzure%20AD%20SSO%20App%20Management%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70971%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI've%20got%20a%20query%20around%20access%20to%20manage%20Azure%20AD%20SSO%20applications.%20Our%20IT%20provider%20%22specialists%22%20are%20suggesting%20that%20in%20order%20to%20manage%20Azure%20AD%20SSO%20applications%20they%20need%20to%20be%20Global%20Admins.%20I%20find%20this%20hard%20to%20believe%20that%20Microsoft%20would%20make%20this%20level%20of%20access%20a%20requirement%20to%20simply%20manage%20some%20of%20the%20SSO%20application%20settings.%20They%20report%20that%20when%20they%20click%20on%20an%20application%20to%20manage%20SSO%20settings%2C%20etc.%20they%20get%20the%20error%3A%20%22You%20do%20not%20have%20permissions%20to%20manage%20this%20application.%22%3C%2FP%3E%3CP%3ECan%20anyone%20confirm%20or%20point%20me%20in%20the%20direction%20of%20how%20you%20allow%20people%20access%20to%20manage%20the%20applications%20rather%20than%20granting%20them%20the%20whole%20Global%20Admin%20shebang!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20885px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14780i09E129832EED419E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222017-05-18%2009_51_18-Clipboard.png%22%20title%3D%222017-05-18%2009_51_18-Clipboard.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Echeers%3C%2FP%3E%3CP%3Ebaronn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-70971%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71398%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20SSO%20App%20Management%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71398%22%20slang%3D%22en-US%22%3EThe%20instructions%20are%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Frole-based-access-control-custom-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Frole-based-access-control-custom-roles%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71392%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20SSO%20App%20Management%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71392%22%20slang%3D%22en-US%22%3EThanks%2C%20I've%20been%20using%20the%20new%20portal%20for%20a%20while%2C%20but%20not%20entirely%20sure%20where%20the%20specific%20area%20is%20to%20create%20a%20custom%20role...%20I'll%20have%20a%20dig%20around.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-71378%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20SSO%20App%20Management%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-71378%22%20slang%3D%22en-US%22%3E%3CP%3EYour%20consultant%20was%20correct%2C%20that%20level%20of%20Admin%20was%20required.%20However%2C%20that%20screen%20is%20from%20the%20classic%20Azure%20portal%20which%20is%20being%20phased%20out.%20Azure%20AD%20was%20recenty%20released%20to%20General%20Availability%20in%20the%20new%20Azure%20portal%20which%20provides%20many%20improvements%20(such%20a%20extensive%20Role%20Based%20Access%20Controls)%26nbsp%3Band%20you%20will%20want%20to%20start%20using%20that%20location%20for%20your%20AAD%20tasks.%20A%20listing%20of%20the%20various%20admin%20roles%20is%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-assign-admin-roles%3C%2FA%3E.%20Unfortunately%2C%20there%20does%20not%20seem%20to%20be%20a%20specific%20role%20to%20limit%20admins%20to%20manage%20just%20the%20apps%20that%20need%20SSO.%20You%20may%20want%20to%20create%20a%20custom%20Role%20if%20this%20is%20a%20requirement..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20related%20note%2C%20you%20may%20want%20to%20use%20the%20Azure%20Privileged%20Identity%20Management%20functionality%20to%20control%20the%20time%20period%20used%20by%20Admins%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-privileged-identity-management-getting-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-privileged-identity-management-getting-started%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi,

I've got a query around access to manage Azure AD SSO applications. Our IT provider "specialists" are suggesting that in order to manage Azure AD SSO applications they need to be Global Admins. I find this hard to believe that Microsoft would make this level of access a requirement to simply manage some of the SSO application settings. They report that when they click on an application to manage SSO settings, etc. they get the error: "You do not have permissions to manage this application."

Can anyone confirm or point me in the direction of how you allow people access to manage the applications rather than granting them the whole Global Admin shebang!

 

 2017-05-18 09_51_18-Clipboard.png

 

cheers

baronn

3 Replies

Your consultant was correct, that level of Admin was required. However, that screen is from the classic Azure portal which is being phased out. Azure AD was recenty released to General Availability in the new Azure portal which provides many improvements (such a extensive Role Based Access Controls) and you will want to start using that location for your AAD tasks. A listing of the various admin roles is at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles. Unfortunately, there does not seem to be a specific role to limit admins to manage just the apps that need SSO. You may want to create a custom Role if this is a requirement..

 

On a related note, you may want to use the Azure Privileged Identity Management functionality to control the time period used by Admins, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-managem...

 

 

 

Thanks, I've been using the new portal for a while, but not entirely sure where the specific area is to create a custom role... I'll have a dig around.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies