Forum Discussion
app registrations - any way to prevent owners from changing / adding API permissions
We would like to allow owners to update their client secrets / certs but prevent them from modifying or adding API permissions. Is there a way to modify the default app registration owner role to do this?
- You can create a custom role with just permissions to change the credentials: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps
microsoft.directory/applications/credentials/update should be sufficient.Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.
- No, it's not specific to enterprise apps, and you can scope it down to individual app/SP if needed. Follow the references in the above article for more details.
You have to manually add each app as needed though, there is no "dynamic" scope of "all apps I own" that you can use, if that's what you mean.
