1

In the Azure AD App registration, we have ‘Owners’ tab. It show ‘In addition to users with permission to manage any applications, the users listed here can view and edit this application registration.’. Our documentation show, ‘Change application properties, such as the name and permissions the app requests’

Will the app owner be able change ‘API permissions’ / ‘Grant consent’ / ‘add a permission’ etc. ? If yes, how do they do that (Programmatically, APIs, PowerShell module ?)

App ownership image - https://i.stack.imgur.com/Wwc7T.jpg

Sunesh Es
  • 11
  • 1
  • If my reply is helpful, click mark on the left of my reply to accept it as the answer. Or any concern let me know. – Joy Wang Jul 09 '19 at 05:45

1 Answers1

0

The app owner will be able to change/add the API permission, but he will not be able to grant consent to the permissions which ADMIN CONSENT REQUIRED, to require end users to consent to an application each time they authenticate, append &prompt=consent to the authentication request URL, more details see this doc.

To change/add the API permissions to the AD App, you could use powershell, refer to this post.

$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
Joy Wang
  • 39,905
  • 3
  • 30
  • 54