Enterprise Application Roles and Administrators

useR 0 Reputation points
2024-11-26T17:39:31.76+00:00

All Enterprise Application in our Entra tenant has Role and Administrator with Cloud Application Administrator which is labeled as Privileged Role.

  1. Why does an app need this?
    1. microsoft.directory/applications/credentials/update
    2. microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks
    3. microsoft.directory/servicePrincipals/credentials/update
  2. Risk?

Is the default behavior / practice or should custom roles be created for these use cases on app per app requirements?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,953 questions
Microsoft Entra
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. akinbade abiola 20,385 Reputation points
    2024-11-26T22:10:28.5633333+00:00

    Hello useR

    Recommendations is via custom roles: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-available-permissions.  

    This approach ensures that applications have only the permissions they require. 

    You need to always rememeber to assign with least privilege.

    For the permissions:

    microsoft.directory/applications/credentials/update: enables updating the credentials (such as client secrets and certificates) of application objects.

    microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks:  full management of OAuth2 permission grants

    microsoft.directory/servicePrincipals/credentials/update: allows updating the credentials of service principal objects.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments No comments

  2. Harshitha Eligeti 895 Reputation points Microsoft Vendor
    2024-11-26T23:22:52.4233333+00:00

    Hi @useR • 

    Thank you for sharing your issue on Microsoft Q&A. 

    I Understand that in your Entra tenant, if all your Enterprise Applications have roles and administrators assigned with the Cloud Application Administrator role, which is labeled as a Privileged Role.  

    In addition to the information provided by @akinbade abiola • 

    1. You can create custom roles and assign them to users, granting the specific privileged permissions required for managing the credentials and permissions of enterprise applications. 
    • microsoft.directory/applications/credentials/update: This permission allows authorized users to create, update, or delete credentials, such as passwords, certificates, and client secrets, for both single-tenant and multi-tenant applications. 
    • microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks: This permission enables users to manage all aspects of OAuth2 permission grants for applications, including configuring and modifying the access permissions granted to the app. 
    • microsoft.directory/servicePrincipals/credentials/update: This permission allows users to update the credentials of service principals, which are identities that represent applications within Microsoft Entra (Azure AD). 
    1. Assigning the Cloud Application Administrator role to an application is a high-risk action, as it grants the user the ability to manage all aspects of the application, including its credentials and permissions. Therefore, it is recommended to assign this role only to trusted users who require this level of access.  

    If you have specific needs for managing the credentials and permissions of your enterprise applications, you can create custom roles with the appropriate permissions and assign them to the relevant users. This helps restrict access to only what's necessary, reducing the risk of unauthorized access or accidental changes.  

    For additional information Refer this links: Custom role permissions for app registration - Microsoft Entra ID | Microsoft Learn 

    Microsoft Entra Roles & Application Access - Application Administrator Role & Cloud Application Administrator Role  

    Hope this helps. Do let us know if you have any further queries.  

    Best Regards.  
    Harshitha Eligeti. 

     


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.