Why doesn't an Application Owner have permission to land on Single-Sign on page?

Question

I'm an Owner to the application registered in Azure AD. I get "No Access"; error when I try to configure SSO.

What I also find strange is that, when I try to open the Single-sign on page it hits the below URL and I get the response as follows.

Why does Azure have to check my permissions for Application Proxy when I'm trying to open SSO page?

URL: https://main.iam.ad.ext.azure.com/api/ApplicationProxy/Applications/318ca569-e1fe-400d-bfa5-c7dd43a00d11
Response: {"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=Forbidden, errorCode=NotAdminRoleNoEnoughCustomPermission_UnauthorizedAccess, errorMessage=Unauthorized Access., reason=Forbidden, correlationId = e125bfa1-5615-4617-9ea2-9f45fba5300e.","Data":{},"HResult":-2146233088,"XMsServerRequestId":null,"Source":null,"HttpStatusCode":403,"ClientData":{"errorCode":"Forbidden","localizedErrorDetails":null,"operationResults":null,"timeStampUtc":"2020-04-07T17:09:53.686276Z","clientRequestId":"e125bfa1-5615-4617-9ea2-9f45fba5300e","internalTransactionId":"6bc02fe1-15c7-499d-b45c-36b4d6e84f46","tenantId":"5d471751-9675-428d-917b-70f44f9630b0","userObjectId":"ac5f9f20-b9f4-4ea9-8439-5e96798793aa","exceptionType":"MsGraphException"}}

Answer 1

If i understood this correctly , when you login to portal.azure.com , you are no longer able to access Azure AD blade which contains Applications. If this is correct, then it means that ur Global admin has restricted access to Azure AD to admin users only. Owners of app doesn’t qualify for required privileges. You will need application admin role to manage ur app on portal. Alternatively you can try to manage applications (upto an extent ) using PowerShell.