Application permissions scope

Juan Ignacio Cardona 6 Reputation points
2022-08-16T23:03:04.733+00:00

I need to assign a permission to an app so it only can rotate other app's secrets. So far I couldnt find any option other than assigning the application.read&write.all permission whichs is too extensive for this use case. Is there an option to restrict this permission?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,568 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Vasil Michev 95,181 Reputation points MVP
    2022-08-17T06:50:21.943+00:00

    Application objects support custom Azure AD roles, so you can create a new role with just the required permissions, and optionally assign it to just the app(s) in questions. Start by going to the Azure AD blade > Roles and administrators > hit the New custom role button and follow the steps therein to assign the desired permissions. Once the role has been created, you need to assign it, which can be a scoped assignment to just specific app(s). To do this, select the newly created role, hit the Add assignments button, and select Application under Scope type. Next, hit the link under Selected scope and point to the app(s) you want to include in the scope. Lastly, assign the user.

    For more details, refer to this article: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps
    It's for a slightly different use case, but the basics remain the same - just replace the corresponding permissions as needed.

    0 comments No comments