Developer and administrator responsibilities for application registration, authorization, and access

As a developer creating applications in the Microsoft identity platform, you'll work with IT Professionals who have administrator privileges in Azure Active Directory (AD) to enable your applications to take full advantage of the Microsoft identity platform. Knowing what your IT Pros need from you, and what you need from them, will help you to streamline your zero-trust development workflow.

Developers and IT Pros must work together

IT organizations are increasingly blocking apps with vulnerabilities. As IT departments embrace a Zero Trust approach, developers who don't provide applications that follow Zero Trust principles risk not having their apps adopted. Following Zero Trust principles can help ensure that your application is eligible for adoption in a Zero Trust world.

App developers will usually implement, evaluate, and validate aspects of Zero Trust before working with an organization's IT Pros to achieve full compliance and adherence. Developers are responsible for building and integrating apps so that IT Pros can use their tools to further secure the applications. Partnering with IT Pros can help to

  • minimize the probability of or prevent security compromise.
  • quickly respond to compromise and reduce damage.

The following table summarizes the decisions and tasks required for developer and IT Pro roles to build and deploy secure applications in the Microsoft identity platform. Read on for key details and links to articles to help you plan your secure application development.


IT Pro Administrator

  • Configure who can register apps in tenant
  • Assign application users, groups, and roles
  • Grant permissions to applications
  • Define policies (including conditional access policy and token lifespan)
  • Configure alternate local settings for applications

Zero Trust considerations

When entities (individuals, applications, devices) need to access resources in your application, you'll work with IT Pros who have administrator privileges to look at Zero Trust and security policy enforcement options. Together, you'll decide which access policies to implement and enforce. Microsoft's policy enforcement engine needs to be in touch with things like threat intelligence, signal processing, and the policies that are already in place for the organization. Every time an entity needs to access a resource, it will go through the policy enforcement engine.

IT Pros determine which conditional access policies will apply to your application (SAML) or the resources your application is accessing (OAuth 2.0). They can apply conditional access policies to Security Assertions Markup Language (SAML) apps at authentication. For OAuth 2.0 applications, they can apply policies when an application attempts to access a resource.

Next steps