Default roles on new Enterprise apps

Bob Pants 256 Reputation points
2023-09-28T04:34:38.98+00:00

When we create new Enterprise app registrations, they all come with role 'Cloud Application Administrator' assigned by default.

Does this mean that the role has permissions to THIS object, I assume that it doesnt infer any permissions to the users assigned to the application.

Our security people raised a concern about this, I am just trying to understand the meaning of this role assignment on every app registration

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,792 questions
{count} votes

Accepted answer
  1. Akhilesh 9,840 Reputation points Microsoft Vendor
    2023-09-29T08:22:53.52+00:00

    Hi @Bob Pants

    Thank you for reaching out!

    I understand your concern about in Enterprise app registrations default role and security risk.

    When you create a new Enterprise app registration in Azure, the "Cloud Application Administrator" role is assigned to the app registration by default. This role is a built-in role in Azure AD that allow permissions to manage the application registration itself, but it does not allow any permissions to the users or groups assigned to the application.

    In the "Cloud Application Administrator" user role are allowed to manage and configuration of the app registration, for example like configuring SSO, assigning users and groups, changing its display name or updating its authentication settings.

    Role assignment is not a security risk in itself, as it does not provide any elevated permissions to the users or groups assigned to the application.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles
    https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/hallelujah-azure-ad-delegated-application-management-roles-are/ba-p/245420

    Thanks,
    Akhilesh

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 148.1K Reputation points MVP
    2023-09-28T11:11:56.9633333+00:00

    It means any account added to this role will have permissions to manage Enterprise Apps:

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator

    So the key there is to only assign that role to admins that require it as its privileged.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.