Azure

Add an App Registration as an owner of another App Registration in Azure

Imagine the following scenario on Azure. You have an App Registration A which should be able to administrate another App Registration B. For that, the A should be made owner of B. However, on the Azure Portal it is only possible to add a real user as an owner and not a Service Principal, in our case an App Registration.

We will have to use an Azure CLI command to achieve our goal and before deep diving into the solution, let us first understand what an App Registration and an Enterprise Application are, since we are going to use their IDs

The difference between an App Registration and an Enterprise Application

An App Registration in Azure is a configuration that defines how an application integrates with your Azure Entra ID. It provides the application with an identity named Application (Client) ID and allows it to authenticate and access Azure resources or APIs.

An Enterprise Application is the service principal representation of an App Registration in a specific Azure Entra ID tenant.

When a new App Registration is created, Azure automatically creates an Enterprise Application in the tenant where the app is registered. So the relationship is 1 App Registration to N Enterprise Applications. The Enterprise Application is what allows the app to interact with resources in that tenant. Each Enterprise Application has a unique Object ID.

How to define a Enterprise Applications as an owner

In our scenario we want to make the App Registration A an owner of the App Registration B, so we are going to use two IDs for that:

  1. The Application (Client) ID of the App Registration B is going to be owned. You can find this ID on the Azure Portal by opening the App Registration
  2. The Object ID of the Enterprise Application of the App Registration A is going to be the owner. You can find this ID by following the link from App Registration A to the Enterprise Application of the current tenant. The object ID of an Enterprise Application in Azure

We now have the needed Guids and we will use the following Azure CLI command:

az ad app owner add \
    --id <application-client-id-of-the-app-registration-B> \
    --owner-object-id <object-id-of-the-enterprise-application-A>

What happens if you use the wrong IDs?

The most common error that arise if you mix or use the wrong IDs for the previous az-command is The reference target 'XXX' of type 'Application' is invalid for the 'owners' reference.

If that is the case, review the IDs and use the ones defined in the previous section.

comments powered by Disqus