Allow guest user ownership over an app registration in order to manage certificates and secrets

Wouter van Vugt 36 Reputation points

On our AD tenant I am testing guest user ownership over an app registration + service principal. I want to allow an external daemon service to call my .NET Core REST API. In order to do so securely I need an identity provider trusted by both parties, and one that limits the administrative overhead of managing credential stores.

Instead of deploying IdentityServer or doing something stupid like hardcoding basic-auth passwords in my API, I am considering using our Azure AD tenant, and have the external client registered as an app in our tenant. They can then easily authenticate that daemon app against AD and call my API, and I skip the need of managing said credential store. Also, the client gets password refresh etc, they can manage their own credentials. Yay!

It is my understanding based on this page, that a guest can be made owner over the app registration and the service principal. Done so succesfully, on both the AzureAD App, and on the AzureAD ServicePrincipal objects. After which the guest user should be able to manage certain aspects of that app registration. Specifically, I want the guest user to be able to manage the credentials for that app registration. The documentation page states that the guest is allowed to:

Guest user permissions

  • Read properties of registered and enterprise applications
  • Manage application properties, assignments, and credentials for owned applications
  • Delete owned applications
  • Restore owned applications

However, even after signing out and back in to refresh my tokens, the Azure Portal still blocks my testing guest user from managing the app I made him owner of. (The error actually has a hyperlink to the page showing owners, and lo and behold, the guest account is shown as the owner)

The question is whether I am missing a key configuration entry somewhere to allow this to happen, or, is the documentation wrong and are guests simply not allowed to manage the credentials contained within the service principal object?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,170 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Sahil Malik 6 Reputation points

    Can you try adding the "Application Administrator" role to the external user and retrying?

    1 person found this answer helpful.
    0 comments No comments

  2. Wouter van Vugt 36 Reputation points

    Thank you Sahil. I performed what you requested and as I expected this grants the guest user the permission to edit ALL app registrations. Sorry but this does not achieve the intended goal. Thanks for getting back to me though!

    1 person found this answer helpful.

  3. Saurabh Sharma 23,776 Reputation points Microsoft Employee

    @Wouter van Vugt I have also found the same behavior in my tenant and checking internally with the products team on this issue. I will update here once I hear back from them.

    0 comments No comments