Azure CLI - Set App Registration Owner

Overview

Security is always paramount with every engagement and one thing that can help with application design is planning in secret rotation. This post covers a step to facilitate that process by setting the owner of an app registration to a separate SPN which can then be used to rotate the secrets.

Minimal Permissions

The minimal permission for an SPN to manage an app registration is Application.ReadWrite.Owner:

This means that SPN can only reset secrets of app registrations it owns which is great when dealing with tenants with 1000's of app registrations.

Enterprise App Registration

One very important note is the difference between the App Registration and Enterprise App Registration, they share the same client ID but the object IDs are different between the 2. This is due to the fact the Enterprise App Registration is essentially the SPN of an App Registration so its what is needed in certain instances (like this one).

Azure CLI to Add an SPN as App Registration Owner

Taking the above into account, the owner-object-id in the following command needs to be the object ID of the Enterprise Application Registration:

az ad app owner add --id xxx --owner-object-id xxx

Conversely, The ID above would represent the target application registration object ID.