Microsoft Entra ID · Remaining Built-in Roles
Application Developer
Can create application registrations independent of the "Users can register applications" setting. Most limited application role.
Scope: Application registration creation with ownership - most limited app role
Permissions
- App Registrations - Create app registrations as owner
- OAuth - Create OAuth grants as owner
- Service Principals - Create service principals as owner
- Consent - Consent to applications on own behalf
- Limitation - Cannot manage existing applications they don't own
- Limitation - Cannot grant admin consent
- Limitation - Cannot access other users' applications
Common use cases
- Developers needing to register apps for testing
- Dev/test environment application creation
- When "Users can register apps" is disabled organization-wide
- Controlled developer access to app registration
- Temporary access for specific development projects
Best practices
- Assign to developers in controlled environments
- Use when default app registration is restricted
- Monitor app registrations created by this role
- Implement application naming conventions
- Require documentation of application purpose
- Set up alerts for new application registrations
- Review and clean up unused applications
- Consider time-limited assignments via PIM
Security considerations
- Can only manage applications they create
- Cannot grant admin consent (requires escalation)
- Limited scope reduces risk
- Monitor for excessive application creation
- Audit applications created by role holders
- Consider PIM for just-in-time access