Is it possible to delegate user management for an enterprise app to a regular user account?

Sam Hall 46 Reputation points
2020-11-25T05:08:45.91+00:00

I tried adding a staff member as an Owner of the application and sending them a direct link to the enterprise apps "Users and groups" page, but they get an error "You do not have access" "User has no admin roles. Current directory do not allow non admin users to access portal".

Is there another interface that users have access to achieve delegating this task?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,696 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,601 Reputation points
    2020-11-25T07:12:13.173+00:00

    Hello @Sam Hall · Thank you for reaching out.

    Since the AppRoles are being assigned to the users, at the minimum it would require User Administrator role assigned to the users who will be performing App Role assignments.

    Another way of doing this is via Graph Api with below delegated permissions along with minimum User Administrator role:

    • AppRoleAssignment.ReadWrite.All
    • Directory.AccessAsUser.All

    Request:

    POST https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e/appRoleAssignments

    Content-type: application/json

    {
    "principalId": "6cad4079-4e79-4a3f-9efb-ea30a14bdb26",
    "principalType": "User",
    "appRoleId":"454dc4c2-8176-498e-99df-8c4efcde41ef",
    "resourceId":"f47a6776-bca7-4f2e-bc6c-eec59d058e3e"
    }

    Where,
    "principalId": Object_ID_of_the_user,
    "principalType": "User",
    "appRoleId":"Object_ID_of_appRole, which can be fetched from App Manifest",
    "resourceId": Object_ID_of_the_servicePrinicipal

    Read more: https://learn.microsoft.com/en-us/graph/api/resources/approleassignment?view=graph-rest-1.0

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.