Microsoft Entra ID · Remaining Built-in Roles

Cloud Application Administrator

Can create and manage all aspects of app registrations and enterprise apps except App Proxy. Ideal for cloud-only environments.

Scope: Full cloud application management excluding Application Proxy capabilities

Permissions

  • App Policies - Manage application policies
  • App Registrations - Full app registration management
  • App Registrations - Create application registrations
  • App Registrations - Delete application registrations
  • Credentials - Manage application credentials
  • Ownership - Manage application owners
  • Permissions - Update application permissions
  • Applications - Permanently delete apps
  • Applications - Restore deleted apps
  • OAuth - Manage OAuth grants
  • Service Principals - Manage service principals
  • Sync - Manage sync credentials
  • Sync - Manage sync jobs
  • Sync - Manage sync schema
  • Consent - Grant admin consent for applications
  • Limitation - Cannot manage Application Proxy applications or connectors

Common use cases

  • Cloud-only application management
  • SaaS integration without on-premises needs
  • Application registration lifecycle management
  • Enterprise application configuration
  • API permission consent management
  • Service principal credential management
  • SCIM provisioning configuration
  • Application ownership delegation

Best practices

  • Use instead of Application Admin when App Proxy not needed
  • Review application permissions before granting consent
  • Document application ownership and purpose
  • Implement credential rotation policies
  • Use managed identities where possible
  • Monitor for excessive permission requests
  • Review applications with long credential lifetimes
  • Coordinate with Security for sensitive applications
  • Use PIM for just-in-time access

Security considerations

  • Can grant admin consent affecting all users
  • Can manage application credentials (privileged)
  • Can configure applications with high-privilege permissions
  • Cannot manage App Proxy (reduces on-prem exposure)
  • Monitor for suspicious application registrations
  • Audit consent grants regularly
  • Alert on applications with sensitive permissions
  • Consider credential expiration policies

Official Microsoft Learn documentation →

Open the interactive RBACMap →