Hi, I am trying to get only the applications that my app owns using Graph, and on the documentation it shows that I should be able to only list the applications where my app is owner. (This is to limit the content I have access to with my app)

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs

Application

• Application.Read.All: List all applications (GET /beta/applications)
• Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id})
• Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications)
• Application.ReadWrite.OwnedBy: List all applications owned by the calling application (GET /beta/servicePrincipals/{id}/ownedObjects)
• Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref).

  NOTE: This may require additional permissions.

However, if I create an app that has owner permissions on another app and I query against the Graph API "Applications" I am still able to list all applications in the tenant.

I thought having me added as owner, on an application and having only that permission on my app, would limit my result ? Am I missing something here? 

Adding the app as an owner in the following way: 

Connect-AzureAD 

$objectIdOfApplicationToChange = Get-AzureADApplication -objectId "6929067b-b9ab-4bf6-bb17-81be5eb31ba1"

 

$objectIdOfApplicationThatNeedsToBeAdded = Get-AzureADApplication -ObjectId "21780578-3035-47c1-8096-a1641ab3123d"

 

Add-AzureAdApplicationOwner -ObjectId $objectIdOfApplicationToChange.ObjectId -RefObjectId (get-azureadserviceprincipal -all $true | where-object {$_.AppId -like $objectIdOfApplicationThatNeedsToBeAdded.AppId}).ObjectId

 

 

When I query the Graph through PowerShell, I was hoping to get a 403 when querying all applications...

Anyone tried to limit the result you get back using this permission ? It is not a wanted solution to give permissions to read all applications for this app, therefor we need to limit the access...