question

WoutervanVugt-4248 avatar image
5 Votes"
WoutervanVugt-4248 asked ·

Allow guest user ownership over an app registration in order to manage certificates and secrets

On our AD tenant I am testing guest user ownership over an app registration + service principal. I want to allow an external daemon service to call my .NET Core REST API. In order to do so securely I need an identity provider trusted by both parties, and one that limits the administrative overhead of managing credential stores.

Instead of deploying IdentityServer or doing something stupid like hardcoding basic-auth passwords in my API, I am considering using our Azure AD tenant, and have the external client registered as an app in our tenant. They can then easily authenticate that daemon app against AD and call my API, and I skip the need of managing said credential store. Also, the client gets password refresh etc, they can manage their own credentials. Yay!

It is my understanding based on this page, that a guest can be made owner over the app registration and the service principal. Done so succesfully, on both the AzureAD App, and on the AzureAD ServicePrincipal objects. After which the guest user should be able to manage certain aspects of that app registration. Specifically, I want the guest user to be able to manage the credentials for that app registration. The documentation page states that the guest is allowed to:

Guest user permissions

  • Read properties of registered and enterprise applications

  • Manage application properties, assignments, and credentials for owned applications

  • Delete owned applications

  • Restore owned applications

However, even after signing out and back in to refresh my tokens, the Azure Portal still blocks my testing guest user from managing the app I made him owner of. (The error actually has a hyperlink to the page showing owners, and lo and behold, the guest account is shown as the owner)

The question is whether I am missing a key configuration entry somewhere to allow this to happen, or, is the documentation wrong and are guests simply not allowed to manage the credentials contained within the service principal object?










azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

@WoutervanVugt-4248 I have also found the same behavior in my tenant and checking internally with the products team on this issue. I will update here once I hear back from them.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SahilMalik-1985 avatar image
0 Votes"
SahilMalik-1985 answered ·

Can you try adding the "Application Administrator" role to the external user and retrying?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WoutervanVugt-4248 avatar image
1 Vote"
WoutervanVugt-4248 answered ·

Thank you Sahil. I performed what you requested and as I expected this grants the guest user the permission to edit ALL app registrations. Sorry but this does not achieve the intended goal. Thanks for getting back to me though!

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.