You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate.
The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API:
For more information about Application.ReadWrite.OwnedBy:
Let’s get started!
Grab the Application Object ID (Not the Application ID):
- Within the Azure portal @ https://portal.azure.com
- Navigate to Azure Active Directory, then to App Registrations (not Enterprise applications)
- Find your app and observe the Object ID as shown below. We will need this later.

Grab the ServicePrincipal Object ID
- Within the Azure portal @ https://portal.azure.com
- Navigate to Azure Active Directory, then to Enterprise applications (not App registrations)
- Find your app and observe the Object ID as shown below. We will need this later.

Add itself as owner using Microsoft Graph Explorer and Microsoft Graph API
- Go to https://developer.microsoft.com/en-us/graph/graph-explorer
- Sign in with a user who has the permissions to update application owners, such as a Global or Application Administrator.
- The Microsoft Graph API call will look something like this:
POST https://graph.microsoft.com/v1.0/applications/{application-object-id}/owners/$ref
Content-type: application/json
{
“@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/{service-principal-id}”
}
So, in Microsoft Graph Explorer, it would look something like this:

If you get a Forbidden – 403 message.
{
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2021-12-09T17:41:54”,
“request-id”: “b1909fc0-aa5c-4b43-8a1f-xxxxxxxxxxxx”,
“client-request-id”: “836e08bb-a12d-4ade-c761-xxxxxxxxxxxx”
}
}
You may need to consent to API permissions for Microsoft Graph Explorer. Click on Modify permissions and consent to one of the following permissions:
