cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

app registrations - any way to prevent owners from changing / adding API permissions

DaveTheTeamsGuy
Super Contributor

‎Nov 29 2022 11:41 AM - edited ‎Nov 29 2022 11:41 AM

‎Nov 29 2022 11:41 AM - edited ‎Nov 29 2022 11:41 AM

app registrations - any way to prevent owners from changing / adding API permissions

We would like to allow owners to update their client secrets / certs but prevent them from modifying or adding API permissions.  Is there a way to modify the default app registration owner role to do this?

Labels:
654 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Nov 30 2022 12:33 AM

‎Nov 30 2022 12:33 AM

Re: app registrations - any way to prevent owners from changing / adding API permissions

You can create a custom role with just permissions to change the credentials: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps

microsoft.directory/applications/credentials/update should be sufficient.
0 Likes
Reply
DaveTheTeamsGuy

‎Nov 30 2022 04:42 AM - edited ‎Nov 30 2022 04:47 AM

‎Nov 30 2022 04:42 AM - edited ‎Nov 30 2022 04:47 AM

Re: app registrations - any way to prevent owners from changing / adding API permissions

Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.

0 Likes
Reply
Vasil Michev

‎Nov 30 2022 08:39 AM

‎Nov 30 2022 08:39 AM

Re: app registrations - any way to prevent owners from changing / adding API permissions

No, it's not specific to enterprise apps, and you can scope it down to individual app/SP if needed. Follow the references in the above article for more details.
You have to manually add each app as needed though, there is no "dynamic" scope of "all apps I own" that you can use, if that's what you mean.
0 Likes
Reply
DaveTheTeamsGuy

‎Dec 01 2022 10:50 AM

‎Dec 01 2022 10:50 AM

Re: app registrations - any way to prevent owners from changing / adding API permissions

Yeah, that's kind of what I'm getting at. App registration ownership allows app owners to basically do anything with SPs they own except grant admin consent. I want to prevent SP owners from doing certain things like modifying API permissions while allowing them to do other things like update their own certs / client secrets.


0 Likes
Reply
DaveTheTeamsGuy

‎Dec 01 2022 11:47 AM

‎Dec 01 2022 11:47 AM

Re: app registrations - any way to prevent owners from changing / adding API permissions

Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:

$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

 

...should instead be

 

$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

 

0 Likes
Reply