AzEntraIdRolesAdvertizer

last sync: 2025-Apr-29 17:09:03 Etc/UTC

Cloud Application Administrator - 158c047a-c907-4556-b7ef-446551a6b5f7
Entra Id Role definition

Display name Cloud Application Administrator
Id 158c047a-c907-4556-b7ef-446551a6b5f7
Description Can create and manage all aspects of app registrations and enterprise apps except App Proxy.
Detailed description Users in this role can add, manage, and configure enterprise applications, app registrations but will not be able to configure or manage on-premises like app proxy.
Categories identity
isPrivileged True Privileged
EntraOps Tier Level ControlPlane
#Resource Actions unique 113
#Resource Actions Operations unique 119
#Resource Actions privileged 3
#Resource Actions direct 60
Resource Actions inherited True
#Resource Actions inherited 54
Resource Actions inherited from Directory Readers (88d8e3e3-8f55-4a1e-953a-9b9898b8876b)
#Resource Actions overlap direct&inherited 1
Resource Actions overlap direct&inherited microsoft.directory/applicationPolicies/standard/read
#Resource Actions inherited to 0 other Entra Id Roles
Resource Actions inherited to n/a
#Resource Actions conditioned 0
#Resource Actions unconditioned 113
#NameSpaces 6
NameSpaces microsoft.azure.serviceHealth: 1
microsoft.azure.supportTickets: 1
microsoft.directory: 108
microsoft.office365.serviceHealth: 1
microsoft.office365.supportTickets: 1
microsoft.office365.webPortal: 1
Actions allTasks: 6
create: 3
delete: 4
disable: 1
enable: 1
manage: 6
managePermissionGrantsForAll: 1
other: 3
read: 63
restore: 1
update: 24
Operations actionVerbs DELETE: 9
GET: 63
n/a: 7
PATCH: 21
POST: 19
Resource Actions where Consent Policy applies 1
Resource Actions / Consent Policy Resource Action: microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin
Consent Policy: microsoft-application-admin
displayName: Application Admin Policy
description:Permissions consentable by Application Administrators.
includes: 2
excludes: 2
JSON enriched
JSON raw (v1.0 endpoint)
GET /roleManagement/directory/roleDefinitions/{id}
JSON raw (beta endpoint)
GET /roleManagement/directory/roleDefinitions/{id}