How to allow users to be able to add Enterprise application without making them global administrator

A K 0 Reputation points
2023-02-28T23:29:15.8433333+00:00

I want to allow a user to allow creating new application in Microsoft active directory without making them Global administrator .Or how to make them application administrator

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,787 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 75,656 Reputation points
    2023-03-01T01:12:30.8733333+00:00

    Hi,

    One method would be to assign the user Cloud Application Administrator role via portal -- Azure Active Directory -- Roles and administrators -- Cloud Application Administrator -- Add assignments. Please see article below for more detailed information on various options:

    Delegate app registration permissions in Azure Active Directory

    https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles

    If the above was helpful please click Accept Answer.

    Thanks.

    -TP

    2 people found this answer helpful.
  2. Sandeep G-MSFT 14,486 Reputation points Microsoft Employee
    2023-03-02T04:25:58.88+00:00

    @A K

    Thank you for posting your question on MIcrosoft Q&A.

    There are some built-in roles that you can assign to users with which users can create new applications in Azure AD.

    Application Administrator:

    Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

    This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Microsoft Graph.

    Cloud Application Administrator:

    Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations. Users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

    This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Microsoft Graph.

    Apart from these 2 roles if you are looking to give only specific permissions to user's for creating an application, then you can make use of custom roles in Azure AD.

    You can create a custom role using below permission,

    microsoft.directory/applications/create

    microsoft.directory/applications/createAsOwner

    User's image

    You can refer below article to get more information on Azure AD custom roles.

    https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create

    Let me know if you have any further questions

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. Mark Woodland 0 Reputation points
    2023-05-15T16:12:25.6+00:00

    Hi, One method would be to assign the user Cloud Application Administrator role via portal -- Azure Active Directory -- Roles and administrators -- Cloud Application Administrator -- Add assignments. Please see article below for more detailed information on various options: Delegate app registration permissions in Azure Active Directory https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles If the above was helpful please click Accept Answer. Thanks. -TP

    Thank you TP for your answer.

    0 comments