Microsoft Entra Built-In roles on App registration

Did you know that you can assign Microsoft Entra Built-In roles on App registration?

Microsoft has made it possible to apply Built-In Entra roles in addition to the fine-grained API authorizations for app registrations such as Microsoft Graph, Azure Storage etc…
This possibility makes daily life easier for us engineers as well as developers and people who want to use app registrations. It is no longer necessary to laboriously search for the correct authorization in a try and error procedure, but instead you can select the corresponding Microsoft Entra Built-In role and permanently assign it to the app registration.

How can this be implemented?
To do this, first create the App registration and then switch to Microsoft Entra ID > Roles and administrators > Select the Built-In role > Add assignment > Select members > App registration name

.   

What you should not ignore with this variant of setting app registration permissions is the Zero Trust concept. Due to the Microsoft Entra Built-In role, you tend to give the app registration permissions that are too high than really necessary. If you have a strong focus on Zero Trust in your environment, please consider whether you can give the required permissions in a more granular way via Microsoft Graph or another option.

You might also like