Enterprise application permissions for custom roles in Microsoft Entra ID
This article contains the currently available enterprise application permissions for custom role definitions in Microsoft Entra ID. In this article, you'll find permission lists for some common scenarios and the full list of enterprise app permissions.
License requirements
Using this feature requires Microsoft Entra ID P1 licenses. To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.
Enterprise application permissions
For more information about how to use these permissions, see Assign custom roles to manage enterprise apps
Assigning users or groups to an application
To delegate the assignment of user and groups that can access SAML based single sign-on applications. Permissions required
- microsoft.directory/servicePrincipals/appRoleAssignedTo/update
Creating gallery applications
To delegate the creation of Microsoft Entra Gallery applications such as ServiceNow, F5, Salesforce, among others. Permissions required:
- microsoft.directory/applicationTemplates/instantiate
Configuring basic SAML URLs
To delegate the update and read of basic SAML Configurations for SAML based single sign-on applications. Permissions required:
- microsoft.directory/servicePrincipals/authentication/update
- microsoft.directory/applications.myOrganization/authentication/update
Rolling over or creating signing certs
To delegate the management of signing certificates for SAML based single sign-on applications. Permissions required.
microsoft.directory/servicePrincipals/credentials/update
Update expiring sign-in cert notification email address
To delegate the update of expiring sign-in certificates notification email addresses for SAML based single sign-on applications. Permissions required:
- microsoft.directory/applications.myOrganization/authentication/update
- microsoft.directory/applications.myOrganization/permissions/update
- microsoft.directory/servicePrincipals/authentication/update
- microsoft.directory/servicePrincipals/basic/update
Manage SAML token signature and Sign-in algorithm
To delegate the update of the SAML token signature and sign-in algorithm for SAML based single sign-on applications. Permissions required:
- microsoft.directory/applicationPolicies/basic/update
- microsoft.directory/applications/authentication/update
- microsoft.directory/servicePrincipals/policies/update
Manage user attributes and claims
To delegate the create, delete, and update of user attributes and claims for SAML based single sign-on applications. Permissions required:
- microsoft.directory/applicationPolicies/basic/update
- microsoft.directory/applications/authentication/update
- microsoft.directory/servicePrincipals/policies/update
App provisioning permissions
Performing any write operation such as managing the job, schema, or credentials through the UI will also require the read permissions to view the provisioning page.
Setting the scope to all users and groups or assigned users and groups currently requires both the synchronizationJob and synchronizationCredentials permissions.
Turn on or restart provisioning jobs
To delegate ability to turn on, off and restart provisioning jobs. Permissions required:
- microsoft.directory/servicePrincipals/synchronizationJobs/manage
Configure the provisioning schema
To delegate updates to attribute mapping. Permissions required:
- microsoft.directory/servicePrincipals/synchronizationSchema/manage
Read provisioning settings associated with the application object
To delegate ability to read provisioning settings associated with the object. Permissions required:
- microsoft.directory/applications/synchronization/standard/read
Read provisioning settings associated with your service principal
To delegate ability to read provisioning settings associated with your service principal. Permissions required:
- microsoft.directory/servicePrincipals/synchronization/standard/read
Authorize application access for provisioning
To delegate ability to authorize application access for provisioning. Example input Oauth bearer token. Permissions required:
- microsoft.directory/servicePrincipals/synchronizationCredentials/manage
Application Proxy permissions
Performing any write operations to the Application Proxy properties of the application also requires the permissions to update the application's basic properties and authentication.
To read and perform any write operations to the Application Proxy properties of the application also requires the read permissions to view connector groups as this is part of the list of properties shown on the page.
Delegate Application Proxy connector management
To delegate create, read, update, and delete actions for connector management. Permissions required:
- microsoft.directory/connectorGroups/allProperties/read
- microsoft.directory/connectorGroups/allProperties/update
- microsoft.directory/connectorGroups/create
- microsoft.directory/connectorGroups/delete
- microsoft.directory/connectors/allProperties/read
- microsoft.directory/connectors/create
Delegate Application Proxy settings management
To delegate create, read, update, and delete actions for Application Proxy properties on an app. Permissions required:
- microsoft.directory/applications/applicationProxy/read
- microsoft.directory/applications/applicationProxy/update
- microsoft.directory/applications/applicationProxyAuthentication/update
- microsoft.directory/applications/applicationProxySslCertificate/update
- microsoft.directory/applications/applicationProxyUrlSettings/update
- microsoft.directory/applications/basic/update
- microsoft.directory/applications/authentication/update
- microsoft.directory/connectorGroups/allProperties/read
Read Application Proxy Settings for an app
To delegate read permissions for Application Proxy properties on an app. Permissions required:
- microsoft.directory/applications/applicationProxy/read
- microsoft.directory/connectorGroups/allProperties/read
Update URL configuration Application Proxy settings for an app
To delegate create, read, update, and delete (CRUD) permissions for updating the Application Proxy external URL, internal URL, and SSL certificate properties. Permissions required:
- microsoft.directory/applications/applicationProxy/read
- microsoft.directory/connectorGroups/allProperties/read
- microsoft.directory/applications/basic/update
- microsoft.directory/applications/authentication/update
- microsoft.directory/applications/applicationProxyAuthentication/update
- microsoft.directory/applications/applicationProxySslCertificate/update
- microsoft.directory/applications/applicationProxyUrlSettings/update
Full list of permissions
Permission | Description |
---|---|
microsoft.directory/applicationPolicies/allProperties/read | Read all properties (including privileged properties) on application policies |
microsoft.directory/applicationPolicies/allProperties/update | Update all properties (including privileged properties) on application policies |
microsoft.directory/applicationPolicies/basic/update | Update standard properties of application policies |
microsoft.directory/applicationPolicies/create | Create application policies |
microsoft.directory/applicationPolicies/createAsOwner | Create application policies, and creator is added as the first owner |
microsoft.directory/applicationPolicies/delete | Delete application policies |
microsoft.directory/applicationPolicies/owners/read | Read owners on application policies |
microsoft.directory/applicationPolicies/owners/update | Update the owner property of application policies |
microsoft.directory/applicationPolicies/policyAppliedTo/read | Read application policies applied to objects list |
microsoft.directory/applicationPolicies/standard/read | Read standard properties of application policies |
microsoft.directory/servicePrincipals/allProperties/allTasks | Create and delete service principals, and read and update all properties |
microsoft.directory/servicePrincipals/allProperties/read | Read all properties (including privileged properties) on servicePrincipals |
microsoft.directory/servicePrincipals/allProperties/update | Update all properties (including privileged properties) on servicePrincipals |
microsoft.directory/servicePrincipals/appRoleAssignedTo/read | Read service principal role assignments |
microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments |
microsoft.directory/servicePrincipals/appRoleAssignments/read | Read role assignments assigned to service principals |
microsoft.directory/servicePrincipals/audience/update | Update audience properties on service principals |
microsoft.directory/servicePrincipals/authentication/update | Update authentication properties on service principals |
microsoft.directory/servicePrincipals/basic/update | Update basic properties on service principals |
microsoft.directory/servicePrincipals/create | Create service principals |
microsoft.directory/servicePrincipals/createAsOwner | Create service principals, with creator as the first owner |
microsoft.directory/servicePrincipals/credentials/update | Update credentials of service principals |
microsoft.directory/servicePrincipals/delete | Delete service principals |
microsoft.directory/servicePrincipals/disable | Disable service principals |
microsoft.directory/servicePrincipals/enable | Enable service principals |
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials | Read password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials | Manage password single sign-on credentials on service principals |
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read | Read delegated permission grants on service principals |
microsoft.directory/servicePrincipals/owners/read | Read owners of service principals |
microsoft.directory/servicePrincipals/owners/update | Update owners of service principals |
microsoft.directory/servicePrincipals/permissions/update | Update permissions of service principals |
microsoft.directory/servicePrincipals/policies/read | Read policies of service principals |
microsoft.directory/servicePrincipals/policies/update | Update policies of service principals |
microsoft.directory/servicePrincipals/standard/read | Read basic properties of service principals |
microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal |
microsoft.directory/servicePrincipals/tag/update | Update the tag property for service principals |
microsoft.directory/applicationTemplates/instantiate | Instantiate gallery applications from application templates |
microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, including privileged properties |
microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |
microsoft.directory/applications/applicationProxy/read | Read all application proxy properties |
microsoft.directory/applications/applicationProxy/update | Update all application proxy properties |
microsoft.directory/applications/applicationProxyAuthentication/update | Update authentication on all types of applications |
microsoft.directory/applications/applicationProxyUrlSettings/update | Update URL settings for application proxy |
microsoft.directory/applications/applicationProxySslCertificate/update | Update SSL certificate settings for application proxy |
microsoft.directory/applications/synchronization/standard/read | Read provisioning settings associated with the application object |
microsoft.directory/connectorGroups/create | Create private network connector groups |
microsoft.directory/connectorGroups/delete | Delete private network connector groups |
microsoft.directory/connectorGroups/allProperties/read | Read all properties of private network connector groups |
microsoft.directory/connectorGroups/allProperties/update | Update all properties of private network connector groups |
microsoft.directory/connectors/create | Create private network connectors |
microsoft.directory/connectors/allProperties/read | Read all properties of private network connectors |
microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning synchronization jobs |
microsoft.directory/servicePrincipals/synchronization/standard/read | Read provisioning settings associated with your service principal |
microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning synchronization jobs and schema |