This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 35%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWV%3C/text%3E%3C/svg%3E)
On our AD tenant I am testing guest user ownership over an app registration + service principal. I want to allow an external daemon service to call my .NET Core REST API. In order to do so securely I need an identity provider trusted by both parties, and one that limits the administrative overhead of managing credential stores.
Instead of deploying IdentityServer or doing something stupid like hardcoding basic-auth passwords in my API, I am considering using our Azure AD tenant, and have the external client registered as an app in our tenant. They can then easily authenticate that daemon app against AD and call my API, and I skip the need of managing said credential store. Also, the client gets password refresh etc, they can manage their own credentials. Yay!
It is my understanding based on this page, that a guest can be made owner over the app registration and the service principal. Done so succesfully, on both the AzureAD App, and on the AzureAD ServicePrincipal objects. After which the guest user should be able to manage certain aspects of that app registration. Specifically, I want the guest user to be able to manage the credentials for that app registration. The documentation page states that the guest is allowed to:
Guest user permissions
However, even after signing out and back in to refresh my tokens, the Azure Portal still blocks my testing guest user from managing the app I made him owner of. (The error actually has a hyperlink to the page showing owners, and lo and behold, the guest account is shown as the owner)
The question is whether I am missing a key configuration entry somewhere to allow this to happen, or, is the documentation wrong and are guests simply not allowed to manage the credentials contained within the service principal object?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 11%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Can you try adding the "Application Administrator" role to the external user and retrying?
Thank you Sahil. I performed what you requested and as I expected this grants the guest user the permission to edit ALL app registrations. Sorry but this does not achieve the intended goal. Thanks for getting back to me though!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 87%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi, did you find a solution for this that ensures permission is only applied for a particular app registration that needs to be managed?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Wouter van Vugt I have also found the same behavior in my tenant and checking internally with the products team on this issue. I will update here once I hear back from them.