Azure AD app management roles in public preview now

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

Last week Microsoft announced the public preview of their new delegated app management role.

If you have granted people the Global Administrator role for things like configuring enterprise applications, now you can move them to this lesser privileged role. Doing so will help improve your security posture and reduce the potential for unfortunate mistakes.


Microsoft has added support for per-application ownership, which allows you to grant full management permissions on a per-application basis.

And lastly, they have introduced a role that allows you to selectively grant people the ability to create application registrations.

role

An alternative to global administrator: Application administrator role

Use the following roles to grant people access to manage all your directory’s applications without granting all other unrelated and powerful permissions included in the global administrator role.

  • Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access.
  • Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access).

You can assign these new roles in the Azure AD portal, on the Directory roles tab of the user profile blade, or in Azure AD Privileged Identity Management.

Read more about the application administrator roles, including more specifics on permissions.

Granting ownership access to manage individual enterprise applications

Microsoft now supports ownership for enterprise applications so you can do even finer grained delegation if you want. This complements the existing support for assigning application registration owners.

Ownership is assigned on a per-enterprise application basis in the enterprise apps blade. The benefit is owners can manage only the enterprise applications they own. For example, you can assign an owner for the Salesforce application, and that owner can manage access to and configuration for Salesforce, and no other applications. An enterprise application can have many owners, and a user can be the owner for many enterprise applications.

  • Enterprise Application Owner: This role grants the ability to manage ‘owned’ enterprise applications, including SSO settings, user and group assignments, and adding additional owners. It does not grant the ability to manage Application Proxy settings or conditional access.
  • Application Registration Owner: This role was previously available and grants the ability to manage ‘owned’ application registrations, including the application manifest and adding additional owners.

You can assign an enterprise application owner in the Azure AD portal, on the Owners tab of the enterprise applications blade.

With Delegated App Management Selectively allow people to create application registrations

By default, all users can create application registrations. You can disable this by setting “Users can register applications” to No. As of last week, using the new Application Developer role, you can now selectively grant back the ability to create application registrations to people as needed.

  • Application Developer: This role grants the ability to create application registrations when the ‘Users can register applications’ switch is set to No. Application Developers can also consent for themselves when the ‘users can consent to applications accessing company data on their behalf’ switch is set to No. When an Application Developer creates a new application registration, they are automatically added as the first owner.

You can assign the Application Developer role in the Azure AD portal, on the Directory roles tab of the user profile blade, or in Azure AD Privileged Identity Management.

For more information email info@messageops.com

(Visited 37 times, 1 visits today)