Enterprise Application not owned by dev-user?

Question

Hi

I can create an Enterprise Application in Azure using Terraform and all is good. The application is owned by me, as a user and wondering what is the best practice to build this. I can assign multiple users to the owner pool, but ideally this application should be built using Service Account of some nature that is not tied to a user or two. Was thinking Service Principal may be the answer, but reading through the docs SP doesn't look like the right way.

What is the correct way to build Enterprise Applications so they are not owned by a user alone?

-Sri

Answer 1

After more reading on Azure AD enterprise applications, I notice that even if the current team is long gone - an Administrator can assign a new user to the roll and let the application be managed.

I am in an environment where code is the infrastructure and we are using Terraform for deploying these applications. Currently I am having to assign "owners" to the application and building and deploying it. Ideally I am hoping, a service account or some other system resource can bulid these long-running applications. Didn't find anyway and having to add all the current devops members as owners seem to be the only way. Would like to hear if anyone else figured out a better way that I totally missed. Thanks in advance.

Answer 2

You can add a Service Principal to manage an Enterprise application, please refer to a similar post here where a service principal is granted Application Administrator role which allows creation and managing all aspects of enterprise applications, application registrations, and application proxy settings.
This documentation guides on how to assign AD roles at different scopes.