Is there a way to create a SAML Enterprise Application without Cloud App Administrator?

Julian Sperling 446

Creating a SAML SSO Application can currently only be done by using the Application Template from the gallery, however if an "Application Developer" tries to add an app the button is greyed out: Problem-CreateAppFromGallery

This is due to missing "microsoft.directory/applicationTemplates/instantiate" permissions, but even if this permission is added to a custom role, the app is created, but the user is not an app owner, so he can't continue editing. Is there a Graph API way or anything similar to create a saml sso app, that does not involve granting full Cloud App Administrator Permissions?

Zahra Ahmadi Firouz Jaee 610 Reputation points

2024-02-25T21:48:49.44+00:00

May this thread help you:

https://answers.microsoft.com/en-us/msoffice/forum/all/create-saml-application-in-azure-ad-via-powershell/c93f464e-da7f-495f-ba86-414307eea1ee

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **
Julian Sperling 446 Reputation points

2024-02-26T07:28:52.7966667+00:00

That thread not only uses severely outdated PowerShell Modules but also does not help for my Specific Question. I know how to create these Applications both in the Entra Gallery as well as how to do it in PowerShell if I have cloud app administrator, I am looking to see if maybe there is a way out there that does not require these high permissions.

Accepted answer

Givary-MSFT 28,491 Reputation points Microsoft Employee

2024-02-26T08:51:14.9233333+00:00

@Julian Sperling Thank you for reaching out to us, just wanted to check if you have referred to this https://learn.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-1.0&tabs=http where it refers to adding an instance of an application from the Microsoft Entra application gallery into your directory via Graph Explorer with least privileged permissions. Let me know if this helps to achieve your ask, feel free to post back.
Please sign in to rate this answer.
Julian Sperling 446 Reputation points

2024-02-26T10:33:04.44+00:00

So the idea would be to create an App Registration with application level Application.ReadWrite.OwnedBy and then Provide the Credentials?
Because with Application Developer Delegate Permissions it was not possible to instantiate the Enterprise app through this endpoint, only with Cloud Admin - which I am trying to avoid.

Givary-MSFT 28,491 Reputation points Microsoft Employee

2024-02-27T07:28:37.78+00:00

@Julian Sperling Yes, thats correct create an App Registration with application level Application.ReadWrite.OwnedBy permissions and then provide the Credentials, this approach has the least privilege approach to create a saml enterprise application.

Julian Sperling 446 Reputation points

2024-02-29T15:53:17.6066667+00:00

Tested, works fine as a workaround, but I kind of feel it's high time that Administrative Units Support Enterprise Applications ;)
Sign in to comment

Share via

Is there a way to create a SAML Enterprise Application without Cloud App Administrator?

0 additional answers