Last week Microsoft announced the public preview of their new delegated app management role.
If you have granted people the Global Administrator role for things like configuring enterprise applications, now you can move them to this lesser privileged role. Doing so will help improve your security posture and reduce the potential for unfortunate mistakes.
Microsoft has added support for per-application ownership, which allows you to grant full management permissions on a per-application basis.
And lastly, they have introduced a role that allows you to selectively grant people the ability to create application registrations.
An alternative to global administrator: Application administrator role
Use the following roles to grant people access to manage all your directory’s applications without granting all other unrelated and powerful permissions included in the global administrator role.
- Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access.
- Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access).
Granting ownership access to manage individual enterprise applications
Microsoft now supports ownership for enterprise applications so you can do even finer grained delegation if you want. This complements the existing support for assigning application registration owners.
Ownership is assigned on a per-enterprise application basis in the enterprise apps blade. The benefit is owners can manage only the enterprise applications they own. For example, you can assign an owner for the Salesforce application, and that owner can manage access to and configuration for Salesforce, and no other applications. An enterprise application can have many owners, and a user can be the owner for many enterprise applications.
- Enterprise Application Owner: This role grants the ability to manage ‘owned’ enterprise applications, including SSO settings, user and group assignments, and adding additional owners. It does not grant the ability to manage Application Proxy settings or conditional access.
- Application Registration Owner: This role was previously available and grants the ability to manage ‘owned’ application registrations, including the application manifest and adding additional owners.
You can assign an enterprise application owner in the Azure AD portal, on the Owners tab of the enterprise applications blade.
With Delegated App Management Selectively allow people to create application registrations
By default, all users can create application registrations. You can disable this by setting “Users can register applications” to No. As of last week, using the new Application Developer role, you can now selectively grant back the ability to create application registrations to people as needed.
- Application Developer: This role grants the ability to create application registrations when the ‘Users can register applications’ switch is set to No. Application Developers can also consent for themselves when the ‘users can consent to applications accessing company data on their behalf’ switch is set to No. When an Application Developer creates a new application registration, they are automatically added as the first owner.
For more information email firstname.lastname@example.org
- August 2018 (2)
- July 2018 (2)
- June 2018 (3)
- May 2018 (2)
- April 2018 (1)
- March 2018 (2)
- February 2018 (2)
- January 2018 (1)
- December 2017 (1)
- November 2017 (2)
- October 2017 (2)
- September 2017 (2)
- August 2017 (2)
- July 2017 (2)
- June 2017 (1)
- May 2017 (3)
- April 2017 (1)
- March 2017 (3)
- February 2017 (2)
- January 2017 (3)
- December 2016 (2)
- November 2016 (2)
- October 2016 (3)
- September 2016 (1)
- July 2016 (1)
- June 2016 (3)
- May 2016 (2)
- April 2016 (5)
- March 2016 (2)
- February 2016 (1)
- January 2016 (4)
- December 2015 (5)
- November 2015 (5)
- October 2015 (5)
- September 2015 (4)