Adding privilege for provisioning of an Enterprise Application

New Contributor


To avoid the support task at our service desk, I would like to delegate the provisioning of one Enterprise Application which is used for SSO. Therefore I'm looking for the best practices for adding very limited privilege to one Azure AD user so that he can manage the group (add/remove users) for the provisioning.

I will appreciate your recommandations.

Thank you



2 Replies
Application/service principal management is one of the few areas where custom RBAC roles are supported in Azure AD, so you should be able to leverage those;
Hello Vasil,
Thanks to your information, I have created a custom role, assign it to a user and configure the access to a specific enterprise app
Unfortunately I observe that the user have access to other features as creating groups. I don't want that. My goal is to give a clear and limited access to a user (ideally I give him a link and he is directly in the context) so that he can just manage adding/removing users for provisining that app.
I will continue to search for a solution and appreciate your recommandations.
Thank you very much