Microsoft Entra ID · Remaining Built-in Roles
Application Developer
Can create application registrations independent of the "Users can register applications" setting. Most limited application role.
Scope: Application registration creation with ownership - most limited app role
Permissions
- App Registrations - Create app registrations as owner
- OAuth - Create OAuth grants as owner
- Service Principals - Create service principals as owner
- Consent - Consent to applications on own behalf
- Limitation - Cannot manage existing applications they don't own
- Limitation - Cannot grant admin consent
- Limitation - Cannot access other users' applications
Common use cases
- Developers needing to register apps for testing
- Dev/test environment application creation
- When "Users can register apps" is disabled organization-wide
- Controlled developer access to app registration
- Temporary access for specific development projects
Best practices
- Assign to developers in controlled environments
- Use when default app registration is restricted
- Monitor app registrations created by this role
- Implement application naming conventions
- Require documentation of application purpose
- Set up alerts for new application registrations
- Review and clean up unused applications
- Consider time-limited assignments via PIM
Security considerations
- Can only manage applications they create
- Cannot grant admin consent (requires escalation)
- Limited scope reduces risk
- Monitor for excessive application creation
- Audit applications created by role holders
- Consider PIM for just-in-time access
Common questions
When should I assign the Application Developer role?
Assign Application Developer when you need to: Developers needing to register apps for testing; Dev/test environment application creation; When "Users can register apps" is disabled organization-wide; Controlled developer access to app registration; and Temporary access for specific development projects. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Application Developer role do?
The Application Developer role grants permissions including: App Registrations - Create app registrations as owner; OAuth - Create OAuth grants as owner; Service Principals - Create service principals as owner; Consent - Consent to applications on own behalf; Limitation - Cannot manage existing applications they don't own; and Limitation - Cannot grant admin consent. See the Permissions section above for the full list.
What are the security risks of the Application Developer role?
Key considerations when assigning Application Developer: Can only manage applications they create; Cannot grant admin consent (requires escalation); Limited scope reduces risk; and Monitor for excessive application creation. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.