Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

app registrations - any way to prevent owners from changing / adding API permissions

Iron Contributor

We would like to allow owners to update their client secrets / certs but prevent them from modifying or adding API permissions.  Is there a way to modify the default app registration owner role to do this?

6 Replies
You can create a custom role with just permissions to change the credentials: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps

microsoft.directory/applications/credentials/update should be sufficient.

Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.

No, it's not specific to enterprise apps, and you can scope it down to individual app/SP if needed. Follow the references in the above article for more details.
You have to manually add each app as needed though, there is no "dynamic" scope of "all apps I own" that you can use, if that's what you mean.
Yeah, that's kind of what I'm getting at. App registration ownership allows app owners to basically do anything with SPs they own except grant admin consent. I want to prevent SP owners from doing certain things like modifying API permissions while allowing them to do other things like update their own certs / client secrets.


Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

 

...should instead be

 

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

 

@DaveTheTeamsGuy in the normal senario where you have multiple App registrations, with multple owners, some own some App registrations others own other App registrations, and don not own each others so look after there own and should not have access to others. withis approach outlined by using this custom role, does it now mean that when assigning the custom role to all app registrations, and addign all owners to that custom role that all owners have access to all and eachothers App registrations to access teh client secrets, you ar not limiting owners to access only their own App registrations that they are responcibe for? then can access all that have the custom role assigned?