Microsoft Entra ID · Remaining Built-in Roles
Application Administrator
Can create and manage all aspects of app registrations and enterprise apps. This is a privileged role that can impersonate applications.
Scope: Organization-wide application and service principal management including App Proxy
Permissions
- Applications - Create all types of applications
- Applications - Delete all types of applications
- App Roles - Update appRoles property
- App Settings - Update audience property
- Authentication - Update authentication settings
- App Properties - Update basic properties
- Credentials - Update application credentials
- Extensions - Update extension properties
- App Properties - Update notes
- Ownership - Update owners
- Permissions - Update permissions
- Policies - Update policies
- Verification - Update verification property
- App Proxy - Read App Proxy properties
- App Proxy - Update App Proxy settings
- App Proxy - Update App Proxy auth
- Certificates - Update SSL certs
- URLs - Update URL settings
- Provisioning - Read provisioning settings
- Service Principals - Create service principals
- Service Principals - Delete service principals
- Service Principals - Disable service principals
- Service Principals - Enable service principals
- Role Assignments - Update role assignments
- Credentials - Update credentials
- Ownership - Update owners
- Permissions - Update permissions
- Policies - Update policies
- Provisioning - Manage app provisioning
- Consent - Grant consent except for Microsoft Graph/Azure AD Graph app permissions
- OAuth - Manage OAuth 2.0 grants
- App Policies - Create application policies
- App Policies - Delete application policies
- App Proxy - Manage App Proxy connector groups
- App Proxy - Create App Proxy connectors
- Custom Extensions - Manage custom auth extensions
- Applications - Permanently delete applications
- Applications - Restore deleted applications
Common use cases
- Managing SaaS application integrations (ServiceNow, Salesforce, etc.)
- Application development and registration for custom apps
- Enterprise app consent and permissions management
- Application Proxy deployment for on-premises apps
- Configuring SSO for enterprise applications
- Managing application credentials and certificates
- Setting up user provisioning (SCIM) for applications
- Configuring custom authentication extensions
- Managing app roles and user/group assignments
- Troubleshooting application authentication issues
- Managing third-party gallery applications
- Configuring claims mapping for SAML/OIDC apps
Best practices
- Use Cloud Application Admin when App Proxy not needed
- Review app consent grants regularly
- Implement admin consent workflow for user requests
- Use certificates instead of secrets for credentials
- Set credential expiration and track renewals
- Review application permissions quarterly
- Use app roles for authorization in custom apps
- Implement proper app registration naming conventions
- Document all application integrations
- Use PIM for just-in-time access
- Enable app governance policies
- Review and remove unused applications
- Monitor for overprivileged applications
- Use managed identities where possible
- Implement least-privilege for app permissions
Security considerations
- CRITICAL: Can impersonate any application by updating credentials
- Can grant consent for sensitive permissions on behalf of organization
- Cannot consent to Microsoft Graph or Azure AD Graph app permissions
- Can create backdoor service principals if not monitored
- Can modify application permissions affecting data access
- Can disable critical business applications
- Credentials created can be used to impersonate apps
- Monitor for credential additions to high-privilege apps
- Alert on admin consent grants
- Review application owner assignments
- Can access any data the application has permission to access
- Consider using app governance to monitor consent
- Implement approval workflows for sensitive app changes
- Review App Proxy configurations for security