Assign Application.ReadWrite and AppRoleAssignment permissions for a specific App registration

Question

I have an application registration in Azure AD This application has a lot of Approles defined.

Now I want the Web App (That runs under a managed identity) toe be able to Add and update application roles and add users to it.

I have everything working right now but the permissions are way to broad. I have set the App Registration API permissions to:

Application.ReadWrite.All - Application - Read and write all applications
AppRoleAssignment.ReadWrite.All - Application - Manage app permission grants and app role assignments

But then you have the right to write All applications and all Approle Assignements.

I have been looking and reading a lot, but is it possible to grant these permissions only to this application in some way.

So that the Managed identity can only read and write Approles and Approle Assignemnts for it's this application registration ?

It's all working great now I can add users, create roles etc. But I would like to narrow don the permissions but I seem to miss the correct google terms for it.

Answer 1

Note that: Microsoft Graph API permissions are tenant wide and cannot be narrow down or be restricted to an Azure AD application.

I granted the below API permissions to the managed identity and able to access all the applications.

• Complete/full level access permissions are given to the managed identity if it is granted Microsoft Graph application type permissions.
• You can try granting Application.ReadWrite.OwnedBy permission allows to manage apps that this application creates or owns. Refer this SO Thread by me.

Hence as a workaround, you can create an application using managed identity and then grant Application.ReadWrite.OwnedBy permission to the managed identity.

• By doing this the managed identity will be able to access the applications which is owned by it.

Reference:

Limit permissions to update a single Azure AD group via API - Microsoft Q&A by ShivaniRai-MSFT