Managing applications is one of the most sensitive administrative tasks in Microsoft Entra. Applications can authenticate users, issue tokens, and access data across the organization. For this reason, application management must be delegated carefully using least privilege.
This unit explains how Microsoft Entra ID allows you to delegate application management responsibilities without relying on the Global Administrator role.
Ways to delegate application management
In Microsoft Entra ID, application management permissions can be delegated using four main approaches:
Restricting who can create applications and manage the applications they create.
Assigning one or more owners to an application.
Assigning built-in administrative roles that manage applications across the tenant.
Creating and assigning custom roles with specific permissions.
It reduces dependency on Global Administrators.
It improves security by limiting the impact of compromised accounts.
Restrict who can create applications
All users to register application registrations.
All users to manage applications they create.
All users to consent to apps accessing company data on their behalf.
These defaults are convenient but high risk in enterprise environments.
Disable default app creation and consent
Sign in to your Microsoft Entra organization using an account eligible for the Global Administrator role.
On the User settings page for your organization, set Users can register applications to No.
On the User settings for enterprise applications, configure whether users can add Gallery apps to My Apps or whether Office 365 apps appear in the Office portal.
On the Consent and permissions settings for enterprise applications, set Users can consent to applications accessing company data on their behalf to No.
These settings prevent uncontrolled app creation and user consent.
Grant individual permissions after restriction
When default permissions are disabled, you can selectively re-grant them.
Create application registrations.
Consent to applications on their own behalf.
System behavior to remember. When a user creates a new application registration, Microsoft Entra automatically adds that user as the first owner of the application. Ownership grants full management rights over that app.
Assign application owners
Assigning owners is a simple and targeted way to delegate management of a specific application.
Ownership allows a user to manage all aspects of the application registration or enterprise application they own.
The original owner can be removed.
Additional owners can be added.
Enterprise application owners
Configure SSO.
Configure provisioning.
Manage user and group assignments.
Add or remove other owners.
Owners are limited to only the apps they own, unlike Global Administrators.
An enterprise application.
A corresponding application registration.
When this is true, adding an owner to the enterprise application automatically adds the owner to the application registration.
Assign an owner to an enterprise application
Sign in to your Microsoft Entra organization using an account eligible for the Application Administrator or Cloud Application Administrator role.
On the App registrations page, select the application to open its Overview page.
Select Owners to view the current owners.
Select Add and choose one or more users.
Important limitations.
Users and service principals can be owners of application registrations.
Only users can be owners of enterprise applications.
Groups cannot be owners of either type.
Security warning about ownership
Add credentials to an application.
Use those credentials to impersonate the application’s identity.
Because applications often have permissions that exceed the owner’s user permissions, ownership can result in privilege escalation. Depending on app permissions, an owner might be able to create or modify users or other directory objects.
This risk is commonly tested in the exam.
Assign built-in application admin roles
Microsoft Entra ID provides built-in roles for managing applications across the tenant.
Application Administrator
Create and manage enterprise applications.
Create and manage application registrations.
Manage Application Proxy settings.
Consent to delegated and application permissions, excluding Microsoft Graph.
Users are not automatically added as owners when they create apps.
Cloud Application Administrator
Users in this role have the same permissions as Application Administrator, except:
They cannot manage Application Proxy.
Users are also not automatically added as owners.
Important role limitation
Can add credentials to applications.
Can impersonate application identities.
Neither role grants permission to manage Conditional Access settings.
Create and assign a custom role
Custom roles provide the most granular delegation option.
Create a custom role definition and add permissions from the predefined permission list.
Create a role assignment to assign the role.
At the directory scope (all applications).
At the scope of a single Microsoft Entra object, such as one app registration.
Tips and limitations for custom roles
Custom roles grant access only in the current app registration experience, not the legacy experience.
Custom roles do not grant portal access if Restrict access to Microsoft Entra ID administration portal is set to Yes.
Role assignments appear only in the All applications tab, not the Owned applications tab.
These limitations are subtle and commonly tested.