Allow guest user ownership over an app registration in order to manage certificates and secrets
On our AD tenant I am testing guest user ownership over an app registration + service principal. I want to allow an external daemon service to call my .NET Core REST API. In order to do so securely I need an identity provider trusted by both parties, and one that limits the administrative overhead of managing credential stores.
Instead of deploying IdentityServer or doing something stupid like hardcoding basic-auth passwords in my API, I am considering using our Azure AD tenant, and have the external client registered as an app in our tenant. They can then easily authenticate that daemon app against AD and call my API, and I skip the need of managing said credential store. Also, the client gets password refresh etc, they can manage their own credentials. Yay!
It is my understanding based on this page, that a guest can be made owner over the app registration and the service principal. Done so succesfully, on both the AzureAD App, and on the AzureAD ServicePrincipal objects. After which the guest user should be able to manage certain aspects of that app registration. Specifically, I want the guest user to be able to manage the credentials for that app registration. The documentation page states that the guest is allowed to:
Guest user permissions
- Read properties of registered and enterprise applications
- Manage application properties, assignments, and credentials for owned applications
- Delete owned applications
- Restore owned applications
However, even after signing out and back in to refresh my tokens, the Azure Portal still blocks my testing guest user from managing the app I made him owner of. (The error actually has a hyperlink to the page showing owners, and lo and behold, the guest account is shown as the owner)
The question is whether I am missing a key configuration entry somewhere to allow this to happen, or, is the documentation wrong and are guests simply not allowed to manage the credentials contained within the service principal object?
I can reproduce your issue, according to the doc, the guest should be able to manage the credentials for owned applications, not sure why it happens, just two solutions for you here.
1.Per my test, you could navigate to the Azure AD in the portal -> User settings -> click Manage external collaboration settings -> set the Guest users permissions are limited to No, then the guest user can manage the credentials for the owned application successfully.
Note: If the Guest users permissions are limited is No, the Guest user will have some other permissions as the Member user, e.g. create a new app registration, view other applications which he is not an Owner of.
2.This option is that I recommend you to use, create a custom admin role in AAD, assign the role to the Guest user at the scope of the specific application, the Guest users permissions are limited could be Yes. After doing that, the Guest user just has permissions in the specific application, other permissions are like a normal Guest user.
Just create the role in the portal, and assign the role to the user at the scope of the owned application.
You could also do this with Powershell or Graph API, reference - Create and assign a custom role in Azure Active Directory.
For the permissions in the custom role, they all depend on your requirement, this is my role.
After assigning the role, it works.
