Is it possible to create an Entra ID App with Managed Identity and assign both Contributor and Application Administrator roles via ARM Template (Custom Template Deployment)?

Question

Is it possible to create an Entra ID App with Managed Identity and assign both Contributor and Application Administrator roles via ARM Template (Custom Template Deployment)?

sanjith badri 0

Hi all,

I'm trying to automate the creation of an Azure Managed Identity and assign it the following roles:

Contributor (at the subscription or resource group level)

Application Administrator (at the Entra ID / tenant scope)

My goal is to deploy this setup entirely through an ARM template using the "Deploy a custom template" option in the Azure Portal.

I've run into several issues:

ARM templates support Contributor assignment using the Microsoft.Authorization/roleAssignments resource but assigning Application Administrator (which is a tenant-level role) doesn't seem to work properly due to scope limitations.

Attempts to use deployment scripts or tenant-scoped roleAssignments inside a resource group or subscription deployment have failed or been rejected with invalid scope errors.

I would like to know:

Is it officially supported to assign tenant-level roles like Application Administrator to a user-assigned managed identity via ARM template?

If yes, how should the template be structured and at what deployment scope (tenant, subscription, or resource group)?

If not supported directly in ARM, are there any alternatives that can still be triggered from the portal (like Deployment Scripts or Bicep modules)?

Any examples, official docs, or guidance from Microsoft or the community would be greatly appreciated.Hi all,

I'm trying to automate the creation of an Azure Managed Identity and assign it the following roles:

Contributor (at the subscription or resource group level)

Application Administrator (at the Entra ID / tenant scope)

My goal is to deploy this setup entirely through an ARM template using the "Deploy a custom template" option in the Azure Portal.

I've run into several issues:

ARM templates support Contributor assignment using the Microsoft.Authorization/roleAssignments resource, but assigning Application Administrator (which is a tenant-level role) doesn't seem to work properly due to scope limitations.

Attempts to use deployment scripts or tenant-scoped roleAssignments inside a resource group or subscription deployment have failed or been rejected with invalid scope errors.

I would like to know:

Is it officially supported to assign tenant-level roles like Application Administrator to a user-assigned managed identity via ARM template?

If yes, how should the template be structured and at what deployment scope (tenant, subscription, or resource group)?

If not supported directly in ARM, are there any alternatives that can still be triggered from the portal (like Deployment Scripts or Bicep modules)?

Any examples, official docs, or guidance from Microsoft or the community would be greatly appreciated.

Sakshi Devkante 4,380 Reputation points Microsoft External Staff Moderator

2025-05-28T14:43:27.67+00:00

Hello @sanjith badri

No, not currently. As of 2025, ARM templates and even Bicep templates do not support assigning Entra ID (tenant-level) roles directly.

You're running into a known limitation in ARM templates you cannot assign tenant-level roles (like Application Administrator in Entra ID) via an ARM template deployed at the subscription or resource group level. This is because ARM templates are scoped to resource group, subscription, or management group scopes. Tenant-level resources (like Entra ID roles) are not accessible from those scopes via standard ARM deployments.

Microsoft.Authorization/roleAssignments only supports role assignments at scopes like resource groups, subscriptions, and management groups, not Entra ID (tenant root).

You can embed a PowerShell or CLI script inside your template using Microsoft.Resources/deploymentScripts, and use Microsoft Graph PowerShell or Azure CLI to perform the tenant-level role assignment.

This works because the script is executed with a user-assigned or system-assigned managed identity that has privileges to perform Graph API operations.

Create the Managed Identity.

Assign the Contributor role at the subscription or RG level.

Run a deployment script using Graph API to assign the Application Administrator role at the tenant scope.

Use Entra id role assignment create or Use Microsoft Graph PowerShell New-MgRoleManagementDirectoryRoleAssignment

The identity running the deployment script must have sufficient tenant-wide permissions, such as Privileged Role Administrator or Global Administrator, to assign Entra ID roles.

https://learn.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-05-29T12:04:55.1133333+00:00

Hi @sanjith badri
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-05-30T08:44:41.1666667+00:00

Hi @sanjith badri
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Your answer

Sakshi Devkante 4,380 Reputation points Microsoft External Staff Moderator

2025-05-28T14:43:27.67+00:00

Hello @sanjith badri

No, not currently. As of 2025, ARM templates and even Bicep templates do not support assigning Entra ID (tenant-level) roles directly.

You're running into a known limitation in ARM templates you cannot assign tenant-level roles (like Application Administrator in Entra ID) via an ARM template deployed at the subscription or resource group level. This is because ARM templates are scoped to resource group, subscription, or management group scopes. Tenant-level resources (like Entra ID roles) are not accessible from those scopes via standard ARM deployments.

Microsoft.Authorization/roleAssignments only supports role assignments at scopes like resource groups, subscriptions, and management groups, not Entra ID (tenant root).

You can embed a PowerShell or CLI script inside your template using Microsoft.Resources/deploymentScripts, and use Microsoft Graph PowerShell or Azure CLI to perform the tenant-level role assignment.

This works because the script is executed with a user-assigned or system-assigned managed identity that has privileges to perform Graph API operations.

Create the Managed Identity.

Assign the Contributor role at the subscription or RG level.

Run a deployment script using Graph API to assign the Application Administrator role at the tenant scope.

Use Entra id role assignment create or Use Microsoft Graph PowerShell New-MgRoleManagementDirectoryRoleAssignment

The identity running the deployment script must have sufficient tenant-wide permissions, such as Privileged Role Administrator or Global Administrator, to assign Entra ID roles.

https://learn.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-05-29T12:04:55.1133333+00:00

Hi @sanjith badri
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-05-30T08:44:41.1666667+00:00

Hi @sanjith badri
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Share via

Is it possible to create an Entra ID App with Managed Identity and assign both Contributor and Application Administrator roles via ARM Template (Custom Template Deployment)?

Your answer