Microsoft Entra ID · Remaining Built-in Roles

Application Administrator

Can create and manage all aspects of app registrations and enterprise apps. This is a privileged role that can impersonate applications.

Scope: Organization-wide application and service principal management including App Proxy

Permissions

  • Applications - Create all types of applications
  • Applications - Delete all types of applications
  • App Roles - Update appRoles property
  • App Settings - Update audience property
  • Authentication - Update authentication settings
  • App Properties - Update basic properties
  • Credentials - Update application credentials
  • Extensions - Update extension properties
  • App Properties - Update notes
  • Ownership - Update owners
  • Permissions - Update permissions
  • Policies - Update policies
  • Verification - Update verification property
  • App Proxy - Read App Proxy properties
  • App Proxy - Update App Proxy settings
  • App Proxy - Update App Proxy auth
  • Certificates - Update SSL certs
  • URLs - Update URL settings
  • Provisioning - Read provisioning settings
  • Service Principals - Create service principals
  • Service Principals - Delete service principals
  • Service Principals - Disable service principals
  • Service Principals - Enable service principals
  • Role Assignments - Update role assignments
  • Credentials - Update credentials
  • Ownership - Update owners
  • Permissions - Update permissions
  • Policies - Update policies
  • Provisioning - Manage app provisioning
  • Consent - Grant consent except for Microsoft Graph/Azure AD Graph app permissions
  • OAuth - Manage OAuth 2.0 grants
  • App Policies - Create application policies
  • App Policies - Delete application policies
  • App Proxy - Manage App Proxy connector groups
  • App Proxy - Create App Proxy connectors
  • Custom Extensions - Manage custom auth extensions
  • Applications - Permanently delete applications
  • Applications - Restore deleted applications

Common use cases

  • Managing SaaS application integrations (ServiceNow, Salesforce, etc.)
  • Application development and registration for custom apps
  • Enterprise app consent and permissions management
  • Application Proxy deployment for on-premises apps
  • Configuring SSO for enterprise applications
  • Managing application credentials and certificates
  • Setting up user provisioning (SCIM) for applications
  • Configuring custom authentication extensions
  • Managing app roles and user/group assignments
  • Troubleshooting application authentication issues
  • Managing third-party gallery applications
  • Configuring claims mapping for SAML/OIDC apps

Best practices

  • Use Cloud Application Admin when App Proxy not needed
  • Review app consent grants regularly
  • Implement admin consent workflow for user requests
  • Use certificates instead of secrets for credentials
  • Set credential expiration and track renewals
  • Review application permissions quarterly
  • Use app roles for authorization in custom apps
  • Implement proper app registration naming conventions
  • Document all application integrations
  • Use PIM for just-in-time access
  • Enable app governance policies
  • Review and remove unused applications
  • Monitor for overprivileged applications
  • Use managed identities where possible
  • Implement least-privilege for app permissions

Security considerations

  • CRITICAL: Can impersonate any application by updating credentials
  • Can grant consent for sensitive permissions on behalf of organization
  • Cannot consent to Microsoft Graph or Azure AD Graph app permissions
  • Can create backdoor service principals if not monitored
  • Can modify application permissions affecting data access
  • Can disable critical business applications
  • Credentials created can be used to impersonate apps
  • Monitor for credential additions to high-privilege apps
  • Alert on admin consent grants
  • Review application owner assignments
  • Can access any data the application has permission to access
  • Consider using app governance to monitor consent
  • Implement approval workflows for sensitive app changes
  • Review App Proxy configurations for security

Common questions

When should I assign the Application Administrator role?

Assign Application Administrator when you need to: Managing SaaS application integrations (ServiceNow, Salesforce, etc.); Application development and registration for custom apps; Enterprise app consent and permissions management; Application Proxy deployment for on-premises apps; and Configuring SSO for enterprise applications. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Application Administrator role do?

The Application Administrator role grants permissions including: Applications - Create all types of applications; Applications - Delete all types of applications; App Roles - Update appRoles property; App Settings - Update audience property; Authentication - Update authentication settings; and App Properties - Update basic properties. See the Permissions section above for the full list.

What are the security risks of the Application Administrator role?

Key considerations when assigning Application Administrator: CRITICAL: Can impersonate any application by updating credentials; Can grant consent for sensitive permissions on behalf of organization; Cannot consent to Microsoft Graph or Azure AD Graph app permissions; and Can create backdoor service principals if not monitored. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →