Add an Enterprise Application aka. Service Principal as owner of an App Registration
Imagine the following scenario on Azure: You have an App Registration A which should be able to administrate another App Registration B. For that, App Registration A should be made an owner of App Registration B. However, on the Azure Portal it is only possible to add a real user as an owner and not a Service Principal (in this case, an App Registration).
In this article, we’ll use an Azure CLI command to achieve our goal. But first, let’s clarify the difference between an App Registration and its associated Enterprise Application.
The difference between an App Registration and an Enterprise Application
-
App Registration: An App Registration in Azure is a configuration that defines how an application integrates with Azure Active Directory (Azure AD). It provides the application with an identity (Application ID or Client ID) that allows it to authenticate and access Azure resources or APIs. These are often used by applications that need user authentication or automated tasks. -
Enterprise Application: The Enterprise Application is the service principal representation of an App Registration in a specific Azure AD tenant. Once you create an App Registration, Azure automatically generates the corresponding Enterprise Application in the tenant. The Enterprise Application is the entity that lets the app interact with resources in that tenant.
Steps to Add a Service Principal as an Owner
Use the following Azure CLI command to add a service principal as an owner to an app registration:
az ad app owner add --id <application-id-of-the-app-registration> --owner-object-id <object-id-of-the-service-principal>
The two values that being used in the az command are:
<application-id-of-the-app-registration>: The Application (client) ID of the app registration you want to modify.<object-id-of-the-service-principal>: The Object ID of the service principal you want to assign as an owner.
Example
If the application ID of the app registration is a79beec5-b173-aaaa-bbbb-5ee6f9fa78e6 and the object ID of the service principal is d8e0f13c-7795-aaaa-bbbb-16587c56d2f4, the command would look like this:
az ad app owner add --id 12345-abcde-67890-fghij --owner-object-id 98765-zyxwv-43210-utsrq
Additional Resources
For further information, see this Stack Overflow discussion.