Add group as owner on Azure AD Application and Service Principal
When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.
Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.
When you try to do this, you get the following error message:
PS C:> Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
Code: RequestBadRequest
Message: The reference target 'Group<removed>' of type 'Group' is invalid for the 'owners' reference.
RequestId: <removed>
DateTimeStamp: Wed, 10 Apr 2019 09:48:42 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Add-AzureADApplicationOwner -ObjectId <removed> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureADApplicationOwner], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddApplicationOwner
To simplify the JML process, and ensure Application and Service Principal objects don't become "orphaned", please provide support for adding AD Security Groups as Owners.
Kevin Rowlandson
shared this idea
8 comments
-
Tapas Udenia
commented
I got around this by using the object ID from the Enterprise Application as the Owner Object ID in place of using the Object ID from App Registration. Please select the Object ID carefully.
-
Tapas Udenia
commented
Has this been implement yet? Because I am getting the same error, I am trying to add a Service Principal as owner of other Service Principal
-
Brett Hinton
commented
This is critical to managing application owner/service principals at scale
-
Bolan, Richard
commented
-
Eldar Sehayek
commented
We need to do the same thing as well, so we can rotate security owners in centralized manner via groups
-
gustavo
commented
We need to do the same thing.
-
Jan
commented
Yes, this is absolutely needed.
We have a team that own many applications and groups. To allow all team members to maintain their objects, and for admins to see who owns it, we currently have to add each user one by one on each app, SP and group. And when a team member changes, we have to find and change all objects again.
Being able to add a group as owner would be really helpful. -
Padre880
commented
Hello,
I am actually looking at doing the same thing.
I want to add a group as owner of another group that has licenses assigned to it.
Is there a way to do this?