You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/overview-assign-app-owners.md
+21-11Lines changed: 21 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,36 +3,46 @@ title: Overview of enterprise application ownership
3
3
titleSuffix: Azure AD
4
4
description: Learn about enterprise application ownership in Azure Active Directory
5
5
services: active-directory
6
-
documentationcenter: ''
7
6
author: saipradeepb23
8
7
manager: celesteDG
9
8
ms.service: active-directory
10
9
ms.workload: identity
11
10
ms.subservice: app-mgmt
12
11
ms.topic: conceptual
13
-
ms.date: 12/22/2021
12
+
ms.date: 02/10/2021
14
13
ms.author: saibandaru
15
-
#Customer intent: As an Azure AD administrator, I learn about enterprise application ownership.
14
+
15
+
#Customer intent: As an Azure AD administrator, I want to learn about enterprise application ownership.
16
16
17
17
---
18
18
19
19
# Overview of enterprise application ownership in Azure Active Directory
20
20
21
-
As an owner of an enterprise application in Azure Active Directory (Azure AD), a user can manage the organization-specific configuration of it, such as single sign-on, provisioning, and user assignments. An owner can also add or remove other owners.
21
+
A user in Azure Active Directory (Azure AD) is automatically added as an application owner when they register an application. The ownership of an enterprise application is assigned by default only when a user with no administrator roles (Global Administrator, Application Administrator etc.) creates a new application registration. In all other cases, ownership isn't assigned by default to an enterprise application. Users can be owners of enterprise applications but groups can't be assigned as owners.
22
+
23
+
As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application. To learn more about the permissions that an owner of an application has, see [Ownership permissions](../fundamentals/users-default-permissions.md#owned-enterprise-applications)
24
+
25
+
> [!NOTE]
26
+
> The application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has access to as a user. An application owner can create or update users or other objects while impersonating the application. The elevation of privilege to owners can raise a security concern in some cases depending on the application's permissions.
27
+
28
+
## FAQ
22
29
23
-
Unlike Global Administrators, owners can manage only the enterprise applications they own. Only users can be owners of enterprise applications. Groups cannot be assigned as owners. Owners can add credentials to an application and use those credentials to impersonate the application’s identity.
30
+
**What do you do with applications where the owner is no longer with the organization?**
24
31
25
-
The owner of an enterprise application is assigned by default only when a user with no administrator roles (Global Administrator, Application Administrator etc.) creates a new application registration. In all other cases, an owner is not assigned by default to an enterprise application.
32
+
If you have an ownerless application in your tenant, you can access the audit log for the application to investigate other users who may be involved in configuring the application. However, there are limitations on how long audit logs are stored. See [Azure AD audit log reporting](../reports-monitoring/reference-reports-data-retention.md).
26
33
27
-
## Owner permissions
34
+
You may also see other users who have scoped permissions on the application by navigating to “Roles and Administrators” tab. Once you find the right person to own the application, a user with a highly privileged administrative role in the organization can assign the new owner for the application. See [Assign enterprise application owners](assign-app-owners.md).
28
35
29
-
The application may have more permissions than the owner, and thus would be an elevation of privilege over what the owner has access to as a user or service principal. An application owner could potentially create or update users or other objects while impersonating the application, depending on the application's permissions.
36
+
As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization.
30
37
31
-
Owners of applications have the same permissions as application administrators scoped to an individual application. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md#application-administrator).
38
+
**How do you add yourself as an owner of an enterprise application?**
32
39
33
-
## Ownerless applications
40
+
Existing owners of an application can add other users as the owners. Also, users with a privileged role such as Application Administrator or the Cloud Application Administrator can assign owners to applications in the organization. If you aren't an administrator, work with an administrator in your organization to [assign you as the owner](assign-app-owners.md) of the application.
34
41
35
-
Even if an enterprise application had an owner at some point, it might end up ownerless if the existing owners leave the organization or remove themselves. To find more information, you can review the activity on the application by checking the audit logs. Audit logs store data for only a limited period. For more information, see [Azure AD audit log reporting](../reports-monitoring/reference-reports-data-retention.md).
42
+
**How can you find all the applications that you own?**
43
+
- You can navigate to “Enterprise Applications” -> “All Applications”
44
+
- Add filter -> Use owned by to search for apps owned by you or any other person.
0 commit comments