Add group as owner on Azure AD Application and Service Principal
When managing Application and Service Principal objects in Azure Active Directory, it's difficult to provide granular access controls.
Azure currently supports adding "Users" as Owners through the Azure Portal, and we can also assign other "Service Principals" as Owners using PowerShell (or by creating the new SPN with an existing SPN), however it's not possible to add a Group.
When you try to do this, you get the following error message:
PS C:> Add-AzureADApplicationOwner -ObjectId <removed> -RefObjectId <removed>
Add-AzureADApplicationOwner : Error occurred while executing AddApplicationOwner
Message: The reference target 'Group<removed>' of type 'Group' is invalid for the 'owners' reference.
DateTimeStamp: Wed, 10 Apr 2019 09:48:42 GMT
HttpStatusDescription: Bad Request
At line:1 char:1
+ Add-AzureADApplicationOwner -ObjectId <removed> ...
+ CategoryInfo : NotSpecified: (:) [Add-AzureADApplicationOwner], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddApplicationOwner
To simplify the JML process, and ensure Application and Service Principal objects don't become "orphaned", please provide support for adding AD Security Groups as Owners.
Tapas Udenia commented
I got around this by using the object ID from the Enterprise Application as the Owner Object ID in place of using the Object ID from App Registration. Please select the Object ID carefully.
Tapas Udenia commented
Has this been implement yet? Because I am getting the same error, I am trying to add a Service Principal as owner of other Service Principal
Brett Hinton commented
This is critical to managing application owner/service principals at scale
Bolan, Richard commented
Eldar Sehayek commented
We need to do the same thing as well, so we can rotate security owners in centralized manner via groups
We need to do the same thing.
Yes, this is absolutely needed.
We have a team that own many applications and groups. To allow all team members to maintain their objects, and for admins to see who owns it, we currently have to add each user one by one on each app, SP and group. And when a team member changes, we have to find and change all objects again.
Being able to add a group as owner would be really helpful.
I am actually looking at doing the same thing.
I want to add a group as owner of another group that has licenses assigned to it.
Is there a way to do this?