Nov 29 2022 11:41 AM - edited Nov 29 2022 11:41 AM
We would like to allow owners to update their client secrets / certs but prevent them from modifying or adding API permissions. Is there a way to modify the default app registration owner role to do this?
Nov 30 2022 12:33 AM
Nov 30 2022 04:42 AM - edited Nov 30 2022 04:47 AM
Thank you for the response. That link is specific to enterprise apps. I'm looking for a way to scope permissions for owners of app registrations that they own (not all app registrations) to only be able to update their app registration's client secret / cert.
Nov 30 2022 08:39 AM
Dec 01 2022 10:50 AM
Dec 01 2022 11:47 AM
Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
...should instead be
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
Dec 14 2023 01:13 AM
@DaveTheTeamsGuy in the normal senario where you have multiple App registrations, with multple owners, some own some App registrations others own other App registrations, and don not own each others so look after there own and should not have access to others. withis approach outlined by using this custom role, does it now mean that when assigning the custom role to all app registrations, and addign all owners to that custom role that all owners have access to all and eachothers App registrations to access teh client secrets, you ar not limiting owners to access only their own App registrations that they are responcibe for? then can access all that have the custom role assigned?