Application.ReadWrite.OwnedBy: List all applications owned by the calling application

%3CLINGO-SUB%20id%3D%22lingo-sub-2243298%22%20slang%3D%22en-US%22%3EApplication.ReadWrite.OwnedBy%3A%20List%20all%20applications%20owned%20by%20the%20calling%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2243298%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20am%20trying%20to%20get%20only%20the%20applications%20that%20my%20app%20owns%20using%20Graph%2C%20and%20on%20the%20documentation%20it%20shows%20that%20I%20should%20be%20able%20to%20only%20list%20the%20applications%20where%20my%20app%20is%20owner.%20(This%20is%20to%20limit%20the%20content%20I%20have%20access%20to%20with%20my%20app)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fpermissions-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Graph%20permissions%20reference%20-%20Microsoft%20Graph%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApplication%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EApplication.Read.All%3C%2FEM%3E%3A%20List%20all%20applications%20(GET%20%2Fbeta%2Fapplications)%3C%2FLI%3E%3CLI%3E%3CEM%3EApplication.ReadWrite.All%3C%2FEM%3E%3A%20Delete%20a%20service%20principal%20(DELETE%20%2Fbeta%2FservicePrincipals%2F%7Bid%7D)%3C%2FLI%3E%3CLI%3E%3CEM%3EApplication.ReadWrite.OwnedBy%3C%2FEM%3E%3A%20Create%20an%20application%20(POST%20%2Fbeta%2Fapplications)%3C%2FLI%3E%3CLI%3E%3CEM%3EApplication.ReadWrite.OwnedBy%3C%2FEM%3E%3A%20List%20all%20applications%20owned%20by%20the%20calling%20application%20(GET%20%2Fbeta%2FservicePrincipals%2F%7Bid%7D%2FownedObjects)%3C%2FLI%3E%3CLI%3E%3CEM%3EApplication.ReadWrite.OwnedBy%3C%2FEM%3E%3A%20Add%20another%20owner%20to%20an%20owned%20application%20(POST%20%2Fapplications%2F%7Bid%7D%2Fowners%2F%24ref).%3CBLOCKQUOTE%3E%3CP%3ENOTE%3A%20This%20may%20require%20additional%20permissions.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EHowever%2C%20if%20I%20create%20an%20app%20that%20has%20owner%20permissions%20on%20another%20app%20and%20I%20query%20against%20the%20Graph%20API%20%22Applications%22%20I%20am%20still%20able%20to%20list%20all%20applications%20in%20the%20tenant.%3C%2FP%3E%3CP%3EI%20thought%20having%20me%20added%20as%20owner%2C%20on%20an%20application%20and%20having%20only%20that%20permission%20on%20my%20app%2C%20would%20limit%20my%20result%20%3F%20Am%20I%20missing%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tore_Melberg_0-1617054599072.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268076i83B593354D0282E7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Tore_Melberg_0-1617054599072.png%22%20alt%3D%22Tore_Melberg_0-1617054599072.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tore_Melberg_1-1617054655263.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268078iD7A76BB4830B8553%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Tore_Melberg_1-1617054655263.png%22%20alt%3D%22Tore_Melberg_1-1617054655263.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdding%20the%20app%20as%20an%20owner%20in%20the%20following%20way%3A%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EConnect-AzureAD%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24objectIdOfApplicationToChange%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EGet-AzureADApplication%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-objectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%226929067b-b9ab-4bf6-bb17-81be5eb31ba1%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%24objectIdOfApplicationThatNeedsToBeAdded%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EGet-AzureADApplication%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-ObjectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%2221780578-3035-47c1-8096-a1641ab3123d%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAdd-AzureAdApplicationOwner%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-ObjectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24objectIdOfApplicationToChange%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3EObjectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-RefObjectId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B(%3C%2FSPAN%3E%3CSPAN%3Eget-azureadserviceprincipal%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-all%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24true%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere-object%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%7B%3C%2FSPAN%3E%3CSPAN%3E%24_%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3EAppId%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-like%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%24objectIdOfApplicationThatNeedsToBeAdded%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3EAppId%3C%2FSPAN%3E%3CSPAN%3E%7D).%3C%2FSPAN%3E%3CSPAN%3EObjectId%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tore_Melberg_2-1617054793503.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268082iFDF6F1A77334F2F9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Tore_Melberg_2-1617054793503.png%22%20alt%3D%22Tore_Melberg_2-1617054793503.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3EWhen%20I%20query%20the%20Graph%20through%20PowerShell%2C%20I%20was%20hoping%20to%20get%20a%20403%20when%20querying%20all%20applications...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tore_Melberg_3-1617055344196.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268084iC6FC528D97802E38%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Tore_Melberg_3-1617055344196.png%22%20alt%3D%22Tore_Melberg_3-1617055344196.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20tried%20to%20limit%20the%20result%20you%20get%20back%20using%20this%20permission%20%3F%20It%20is%20not%20a%20wanted%20solution%20to%20give%20permissions%20to%20read%20all%20applications%20for%20this%20app%2C%20therefor%20we%20need%20to%20limit%20the%20access...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2243298%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAPP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Graph%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi, I am trying to get only the applications that my app owns using Graph, and on the documentation it shows that I should be able to only list the applications where my app is owner. (This is to limit the content I have access to with my app)

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs

 

Application

  • Application.Read.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id})
  • Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications)
  • Application.ReadWrite.OwnedBy: List all applications owned by the calling application (GET /beta/servicePrincipals/{id}/ownedObjects)
  • Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref).

    NOTE: This may require additional permissions.

However, if I create an app that has owner permissions on another app and I query against the Graph API "Applications" I am still able to list all applications in the tenant.

I thought having me added as owner, on an application and having only that permission on my app, would limit my result ? Am I missing something here? 

Tore_Melberg_0-1617054599072.png

 

Tore_Melberg_1-1617054655263.png

 

Adding the app as an owner in the following way: 

Connect-AzureAD 
$objectIdOfApplicationToChange = Get-AzureADApplication -objectId "6929067b-b9ab-4bf6-bb17-81be5eb31ba1"
 
$objectIdOfApplicationThatNeedsToBeAdded = Get-AzureADApplication -ObjectId "21780578-3035-47c1-8096-a1641ab3123d"
 
Add-AzureAdApplicationOwner -ObjectId $objectIdOfApplicationToChange.ObjectId -RefObjectId (get-azureadserviceprincipal -all $true | where-object {$_.AppId -like $objectIdOfApplicationThatNeedsToBeAdded.AppId}).ObjectId
 
Tore_Melberg_2-1617054793503.png

 

When I query the Graph through PowerShell, I was hoping to get a 403 when querying all applications...

 

Tore_Melberg_3-1617055344196.png

 

Anyone tried to limit the result you get back using this permission ? It is not a wanted solution to give permissions to read all applications for this app, therefor we need to limit the access...

1 Reply

@Tore_Melberg Could you please ask this question on Microsoft Q&A as it is not to do with Search but broader Microsoft Graph? There are teams there that monitor those forums https://docs.microsoft.com/en-us/answers/topics/microsoft-graph-users.html