Share via

Least Permission required for creation SPN via code

Rahul 241 Reputation points
2024-06-24T19:57:07.88+00:00

Hi Team,

Just wanted to double check is there any limitation on number of SPN or App registration that can be done via this MS Graph API permission "Application.ReadWrite.OwnedBy"

As per this documentation https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/quickstart-app-registration-limits there are some limitation if we assign it to a user. i.e., microsoft.directory/applications/createAsOwner: Assigning this permission results in the creator being added as the first owner of the created app registration, and the created app registration counts against the creator's 250 created objects quota.

Will this be the same issue with this MS Graph API permission "Application.ReadWrite.OwnedBy" assigned to a SPN

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,455 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 16,521 Reputation points Microsoft Employee
    2024-06-25T11:58:37.4266667+00:00

    @Rahul

    Thank you for posting this in Microsoft Q&A.Whenever there is an application or SPN created in tenant, it is considered as 1 object.

    Permission MS Graph API permission "Application.ReadWrite.OwnedBy" will count an object whenever there is an SPN created.

    Hence, MS Graph API permission "Application.ReadWrite.OwnedBy" assigned to a SPN will have the same behavior as mentioned in the document.

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.