Is there any limitation on number of application registration with this MS Graph Permission (Application.ReadWrite.OwnedBy)

Rahul 241 Reputation points
2024-06-24T19:47:06.84+00:00

Hi Team,

Wanted to check is there any limitation on number of application registration with this MS Graph Permission (Application.ReadWrite.OwnedBy) API permission assigned to an SPN.

As per this MS documentation there is some limitation for application registration with this permission i.e., microsoft.directory/applications/createAsOwner: Assigning this permission results in the creator being added as the first owner of the created app registration, and the created app registration counts against the creator's 250 created objects quota.

As per my understanding the limitation is with Entra ID Built-in role "Application Developer" assigned to a user. This has no limitation with SPN assigned this permission through MS Graph API (Application.ReadWrite.OwnedBy).

Let me know if my understanding is correct. Please feel free to correct me.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,545 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 6,535 Reputation points Microsoft Vendor
    2024-06-25T13:14:40.33+00:00

    Hi @Rahul

    Thank you for posting this in Microsoft Q&A.

    I understand that you are asking if there is any limitation on the number of application registrations with the MS Graph Permission (Application.ReadWrite.OwnedBy) API permission assigned to an SPN.

    By default, users of the Microsoft Entra ID Free edition can create a maximum of 50,000 Microsoft Entra resources in a single tenant. However, if the organization has at least one verified domain, the default Microsoft Entra service quota is extended to 300,000 Microsoft Entra resources. It is important to note that a non-admin user can create no more than 250 Microsoft Entra resources. This resource limitation applies to all directory objects in a given Microsoft Entra tenant, including users, groups, applications, and service principals.

    If an organization has developers who are likely to repeatedly exceed this quota in the course of their regular duties, they can create and assign a custom role with permission to create a limitless number of app registrations, but the total number of created objects is limited to 250 to prevent hitting the directory-wide object quota.

    As per my understanding the limitation is with Entra ID Built-in role "Application Developer" assigned to a user. This has no limitation with SPN assigned this permission through MS Graph API (Application.ReadWrite.OwnedBy).

    No, As previously stated, we have a limitation in Microsoft Entra resources.

    To know more details about the Microsoft Entra service limits and restrictions

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments