Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Application.ReadWrite.OwnedBy granting permissions for non-created/owned apps?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 90%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Steve
6
Reputation points
I granted an application (App A, an Azure Automation Account) the following permission and provided Admin consent:
Application.ReadWrite.OwnedBy
I then added that application (App A) as an owner to another application (App B). I was then able to Get/Start provisioning using the Graph API for App B.
However, I noticed I was able to use App A to Get/Start provisioning for another application (App C) that it is NOT an Owner of.
Any theories as to why this is? Prior to granting the above permission, everything threw a 403, as expected.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
Danstan Onyango 3,996 Reputation points Microsoft Employee2021-11-01T07:01:38.29+00:00 I am unable to reproduce your scenario. I have tested this with application addPassword using Application.ReadWrite.OwnedBy. I get 403 Authorization_RequestDenied as expcted when I try for my App C.
Could you provide details of the Graph API endpoint you are calling including the descriptions of the permissions that are added on the App A. -
JamesTran-MSFT 37,256 Reputation points Microsoft Employee Moderator2021-11-01T23:19:33.063+00:00 @Steve
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
Steve 6 Reputation points
2021-11-02T14:53:44.737+00:00 Thank you for testing. I will test addPassword this week and update my post. In the meantime, I can state that I opened a ticket with MS who verified what I'm seeing and has reached out to the product group.
App A only has Application.ReadWrite.OwnedBy (with admin consent) and only owns itself/App B.
I can successfully query App C via https://graph.microsoft.com/v1.0/servicePrincipals/<App C ID> as well as a beta endpoint detailed here:
-
JamesTran-MSFT 37,256 Reputation points Microsoft Employee Moderator
2021-11-02T18:35:49.93+00:00 @Steve
Thank you for the quick follow up and I'm glad that you were able to work with our support team who's reaching out to our product group!If you have any other questions in the meantime, please let me know. Otherwise, I look forward to seeing what our product team finds.
Thank you for your time and patience throughout this issue.
Sign in to comment
Sign in to answer