Bill Fiddes [MSFT]

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate.

The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API:

https://docs.microsoft.com/en-us/graph/api/application-post-owners?view=graph-rest-1.0&tabs=http

For more information about Application.ReadWrite.OwnedBy:

https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-4

Let’s get started!

Grab the Application Object ID (Not the Application ID):

This is the application you want to add the owner to…

  1. Within the Azure portal @ https://portal.azure.com
  2. Navigate to Azure Active Directory, then to App Registrations (not Enterprise applications)
  3. Find your app and observe the Object ID as shown below. We will need this later.

Grab the ServicePrincipal Object ID

This will be the owner

  1. Within the Azure portal @ https://portal.azure.com
  2. Navigate to Azure Active Directory, then to Enterprise applications (not App registrations)
  3. Find your app (this is the owner) and observe the Object ID as shown below. We will need this later.

If you want to use Microsoft Graph Explorer:

  1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer
  2. Sign in with a user who has the permissions to update application owners, such as a Global or Application Administrator.
  3. The Microsoft Graph API call will look something like this:
POST https://graph.microsoft.com/v1.0/applications/{application-object-id}/owners/$ref

Content-type: application/json
{

  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{service-principal-id}"
}

So, in Microsoft Graph Explorer, it would look something like this:

If you get a Forbidden – 403 message.

"error": {
  {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
    "date": "2021-12-09T17:41:54",
    "request-id": "b1909fc0-aa5c-4b43-8a1f-xxxxxxxxxxxx",
    "client-request-id": "836e08bb-a12d-4ade-c761-xxxxxxxxxxxx"
  }
}

You may need to consent to API permissions for Microsoft Graph Explorer. Click on Modify permissions and consent to one of the following permissions:

If you want to use Microsoft Graph PowerShell:

Connect-MgGraph -Scopes Application.ReadWrite.All

# Owner
$OwnerServicePrincipalObjectId = "96858eb3-xxxx-xxxx-xxxx-33a6b0dc2430"

# Application to add owner to
$ApplicationObjectId = "b7463aa1-xxxx-xxxx-xxxx-0963d6c00485"

$Owner = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($OwnerServicePrincipalObjectId)"
}

New-MgApplicationOwnerByRef -ApplicationId $ApplicationObjectId -BodyParameter $Owner

Leave a Comment