Today is a big day. I’m bouncing up and down at my PC as I type this because I’m just so happy to announce the public preview of our new delegated app management roles. If you have granted people the Global Administrator role for things like configuring enterprise applications, you can now move them to this lesser privileged role. Doing so will help improve your security posture and reduce the potential for unfortunate mistakes.
Additionally, we’re adding support for per-application ownership, which allows you to grant full management permissions on a per-application basis.
And lastly, we’re introducing a role that allows you to selectively grant people the ability to create application registrations. Read on for more details about each of these new permissions options!
Application administrator roles as an alternative to global administrator
Use the following roles to grant people access to manage all your directory’s applications without granting all other unrelated and powerful permissions included in the global administrator role.
- Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access.
- Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access).
Granting ownership access to manage individual enterprise applications
We now support ownership for enterprise applications so you can do even finer grained delegation if you want. This complements the existing support for assigning application registration owners.
Ownership is assigned on a per-enterprise application basis in the enterprise apps blade. The benefit is owners can manage only the enterprise applications they own. For example, you can assign an owner for the Salesforce application, and that owner can manage access to and configuration for Salesforce, and no other applications. An enterprise application can have many owners, and a user can be the owner for many enterprise applications.
- Enterprise Application Owner: This role grants the ability to manage ‘owned’ enterprise applications, including SSO settings, user and group assignments, and adding additional owners. It does not grant the ability to manage Application Proxy settings or conditional access.
- Application Registration Owner: This role was previously available and grants the ability to manage ‘owned’ application registrations, including the application manifest and adding additional owners.
You can assign an enterprise application owner in the Azure AD portal, on the Owners tab of the enterprise applications blade.
Selectively allowing people to create application registrations
By default, all users can create application registrations. You can disable this by setting “Users can register applications” to No. Starting today, using the new Application Developer role, you can selectively grant back the ability to create application registrations to people as needed.
- Application Developer: This role grants the ability to create application registrations when the ‘Users can register applications’ switch is set to No. Application Developers can also consent for themselves when the ‘users can consent to applications accessing company data on their behalf’ switch is set to No. When an Application Developer creates a new application registration, they are automatically added as the first owner.
As always, we’d love to hear your feedback, thoughts, and suggestions! Feel free to share with us on the Azure AD administrative roles forum, or leave comments below. We look forward to hearing from you.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division