I suggest you ...

← Microsoft Graph Feature Requests

Do not require AppRoleAssignment.ReadWrite.All for a service principal if the service principal is an Owner

It seems Service Principals that manage an Application's AppRole currently require AppRoleAssignment.ReadWrite.All Graph role, which would grant it write permissions on all applications. This would make this Service Principal an attack vector and essentially make it impossible for a security-conscious admin to grant this role.
Graph could check that the Service Principal making an attempt to create an AppRole assignment is an Owner of the Application (like it does when a User is requesting this operation) and avoid requiring the highly-privileged AppRoleAssignment.ReadWrite.All.

1 vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    Discovered Application.ReadWrite.OwnedBy that kinda makes it non-issue, although I don't understand why it is required since in large org this involves scrutiny that could be avoided because Ownership still needs to be explicitly granted.

Microsoft Graph Feature Requests: Identity and Access

Categories

Feedback and Knowledge Base

(thinking…)