Microsoft Entra ID · Remaining Built-in Roles

Application Developer

Can create application registrations independent of the "Users can register applications" setting. Most limited application role.

Scope: Application registration creation with ownership - most limited app role

Permissions

  • App Registrations - Create app registrations as owner
  • OAuth - Create OAuth grants as owner
  • Service Principals - Create service principals as owner
  • Consent - Consent to applications on own behalf
  • Limitation - Cannot manage existing applications they don't own
  • Limitation - Cannot grant admin consent
  • Limitation - Cannot access other users' applications

Common use cases

  • Developers needing to register apps for testing
  • Dev/test environment application creation
  • When "Users can register apps" is disabled organization-wide
  • Controlled developer access to app registration
  • Temporary access for specific development projects

Best practices

  • Assign to developers in controlled environments
  • Use when default app registration is restricted
  • Monitor app registrations created by this role
  • Implement application naming conventions
  • Require documentation of application purpose
  • Set up alerts for new application registrations
  • Review and clean up unused applications
  • Consider time-limited assignments via PIM

Security considerations

  • Can only manage applications they create
  • Cannot grant admin consent (requires escalation)
  • Limited scope reduces risk
  • Monitor for excessive application creation
  • Audit applications created by role holders
  • Consider PIM for just-in-time access

Common questions

When should I assign the Application Developer role?

Assign Application Developer when you need to: Developers needing to register apps for testing; Dev/test environment application creation; When "Users can register apps" is disabled organization-wide; Controlled developer access to app registration; and Temporary access for specific development projects. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Application Developer role do?

The Application Developer role grants permissions including: App Registrations - Create app registrations as owner; OAuth - Create OAuth grants as owner; Service Principals - Create service principals as owner; Consent - Consent to applications on own behalf; Limitation - Cannot manage existing applications they don't own; and Limitation - Cannot grant admin consent. See the Permissions section above for the full list.

What are the security risks of the Application Developer role?

Key considerations when assigning Application Developer: Can only manage applications they create; Cannot grant admin consent (requires escalation); Limited scope reduces risk; and Monitor for excessive application creation. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →