Forum Discussion
app registrations - any way to prevent owners from changing / adding API permissions
Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.
You have to manually add each app as needed though, there is no "dynamic" scope of "all apps I own" that you can use, if that's what you mean.
- DaveTheTeamsGuyDec 01, 2022Iron ContributorYeah, that's kind of what I'm getting at. App registration ownership allows app owners to basically do anything with SPs they own except grant admin consent. I want to prevent SP owners from doing certain things like modifying API permissions while allowing them to do other things like update their own certs / client secrets.
- DaveTheTeamsGuyDec 01, 2022Iron Contributor
Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
...should instead be
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
- TOnymcgraDec 14, 2023Copper Contributor
DaveTheTeamsGuy in the normal senario where you have multiple App registrations, with multple owners, some own some App registrations others own other App registrations, and don not own each others so look after there own and should not have access to others. withis approach outlined by using this custom role, does it now mean that when assigning the custom role to all app registrations, and addign all owners to that custom role that all owners have access to all and eachothers App registrations to access teh client secrets, you ar not limiting owners to access only their own App registrations that they are responcibe for? then can access all that have the custom role assigned?