Assign enterprise application owners

An owner of an enterprise application in Microsoft Entra ID can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignments. An owner can also add or remove other owners. Unlike other application administrators, owners can manage only the enterprise applications they own. In this article, you learn how to assign an owner of an application.

Prerequisites

To add an enterprise application to your Microsoft Entra tenant, you need:

  • A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
  • One of the following roles: Cloud Application Administrator, or Application Administrator.

Tip

Steps in this article might vary slightly based on the portal you start from.

Assign an owner

To assign an owner to an enterprise application:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > All applications.
  3. Select the application that you want to add an owner to.
  4. Select Owners, and then select Add to get a list of user accounts that you can choose an owner from.
  5. Search for and select the user account that you want to be an owner of the application.
  6. Select Select to add the user account that you chose as an owner of the application.

To add an owner to an enterprise application using Microsoft Graph PowerShell, you need to sign in as at least a Cloud Application Administrator and consent to the Application.ReadWrite.All permission.

In the following example, the user's object ID is aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb and the applicationId is 00001111-aaaa-2222-bbbb-3333cccc4444.

1. Connect-MgGraph -Scopes 'Application.ReadWrite.All'

1. Import-Module Microsoft.Graph.Applications

$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
}

New-MgServicePrincipalOwnerByRef -ServicePrincipalId '00001111-aaaa-2222-bbbb-3333cccc4444' -BodyParameter $params

To assign an owner to an application using Microsoft Graph API, sign in to Graph Explorer as at least a Cloud Application Administrator.

You need to consent to the Application.ReadWrite.All permission.

Run the following Microsoft Graph query to assign an owner to an application. You need the object ID of the user you want to assign the application to. In the following example, the user's object ID is aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb and the appId is 00001111-aaaa-2222-bbbb-3333cccc4444.

POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='00001111-aaaa-2222-bbbb-3333cccc4444')/owners/$ref
Content-Type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
}

Note

If the user setting Restrict access to Microsoft Entra administration portal is set to Yes, non-admin users aren't able to use the Microsoft Entra admin center to manage the applications they own. For more information about the actions that can be performed on owned enterprise applications, see Owned enterprise applications.

Next steps