Forum Discussion
app registrations - any way to prevent owners from changing / adding API permissions
Think maybe I got it, it's in the Assign the custom role section of the article. So far testing is positive, however there is a syntax error there for anyone else who might find this thread. I was running into a problem with the -ResourceScope parameter. Per this GitHub article, -ResourceScope is not correct:
$roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
...should instead be
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
DaveTheTeamsGuy in the normal senario where you have multiple App registrations, with multple owners, some own some App registrations others own other App registrations, and don not own each others so look after there own and should not have access to others. withis approach outlined by using this custom role, does it now mean that when assigning the custom role to all app registrations, and addign all owners to that custom role that all owners have access to all and eachothers App registrations to access teh client secrets, you ar not limiting owners to access only their own App registrations that they are responcibe for? then can access all that have the custom role assigned?
