| title | Application Administrator |
|---|---|
| description | Application Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
This role also grants the ability to consent for delegated permissions and application permissions, with the exception of application permissions for Azure AD Graph and Microsoft Graph.
Important
This exception means that you can still consent to application permissions for other apps (for example, other Microsoft apps, 3rd-party apps, or apps that you have registered). You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Privileged Role Administrator.
This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the application's identity. If the application's identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the application's identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an application's identity.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks Manage admin consent request policies in Microsoft Entra ID microsoft.directory/appConsent/appConsentRequests/allProperties/read Read all properties of consent requests for applications registered with Microsoft Entra ID microsoft.directory/applicationPolicies/basic/update Update standard properties of application policies microsoft.directory/applicationPolicies/create Create application policies microsoft.directory/applicationPolicies/delete Delete application policies microsoft.directory/applicationPolicies/owners/read Read owners on application policies microsoft.directory/applicationPolicies/owners/update Update the owner property of application policies microsoft.directory/applicationPolicies/policyAppliedTo/read Read application policies applied to objects list microsoft.directory/applicationPolicies/standard/read Read standard properties of application policies microsoft.directory/applications/applicationProxy/read Read all application proxy properties microsoft.directory/applications/applicationProxy/update Update all application proxy properties microsoft.directory/applications/applicationProxyAuthentication/update Update authentication on all types of applications microsoft.directory/applications/applicationProxySslCertificate/update Update SSL certificate settings for application proxy microsoft.directory/applications/applicationProxyUrlSettings/update Update URL settings for application proxy microsoft.directory/applications/appRoles/update Update the appRoles property on all types of applications microsoft.directory/applications/audience/update Update the audience property for applications microsoft.directory/applications/authentication/update Update authentication on all types of applications microsoft.directory/applications/basic/update Update basic properties for applications microsoft.directory/applications/create Create all types of applications microsoft.directory/applications/credentials/update Update application credentials microsoft.directory/applications/delete Delete all types of applications microsoft.directory/applications/extensionProperties/update Update extension properties on applications microsoft.directory/applications/notes/update Update notes of applications microsoft.directory/applications/owners/update Update owners of applications microsoft.directory/applications/permissions/update Update exposed permissions and required permissions on all types of applications microsoft.directory/applications/policies/update Update policies of applications microsoft.directory/applications/synchronization/standard/read Read provisioning settings associated with the application object microsoft.directory/applications/tag/update Update tags of applications microsoft.directory/applications/verification/update Update applicationsverification property microsoft.directory/applicationTemplates/instantiate Instantiate gallery applications from application templates microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs microsoft.directory/connectorGroups/allProperties/read Read all properties of application proxy connector groups microsoft.directory/connectorGroups/allProperties/update Update all properties of application proxy connector groups microsoft.directory/connectorGroups/create Create application proxy connector groups microsoft.directory/connectorGroups/delete Delete application proxy connector groups microsoft.directory/connectors/allProperties/read Read all properties of application proxy connectors microsoft.directory/connectors/create Create application proxy connectors microsoft.directory/customAuthenticationExtensions/allProperties/allTasks Create and manage custom authentication extensions microsoft.directory/deletedItems.applications/delete Permanently delete applications, which can no longer be restored microsoft.directory/deletedItems.applications/restore Restore soft deleted applications to original state microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks Create and delete OAuth 2.0 permission grants, and read and update all properties microsoft.directory/provisioningLogs/allProperties/read Read all properties of provisioning logs microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update service principal role assignments microsoft.directory/servicePrincipals/audience/update Update audience properties on service principals microsoft.directory/servicePrincipals/authentication/update Update authentication properties on service principals microsoft.directory/servicePrincipals/basic/update Update basic properties on service principals microsoft.directory/servicePrincipals/create Create service principals microsoft.directory/servicePrincipals/credentials/update Update credentials of service principals microsoft.directory/servicePrincipals/delete Delete service principals microsoft.directory/servicePrincipals/disable Disable service principals microsoft.directory/servicePrincipals/enable Enable service principals microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials Manage password single sign-on credentials on service principals microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials Read password single sign-on credentials on service principals microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph and Azure AD Graph microsoft.directory/servicePrincipals/notes/update Update notes of service principals microsoft.directory/servicePrincipals/owners/update Update owners of service principals microsoft.directory/servicePrincipals/permissions/update Update permissions of service principals microsoft.directory/servicePrincipals/policies/update Update policies of service principals microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage Manage application provisioning secrets and credentials. microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage Start, restart, and pause application provisioning synchronization jobs. microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage Create and manage application provisioning synchronization jobs and schema. microsoft.directory/servicePrincipals/synchronization/standard/read Read provisioning settings associated with your service principal microsoft.directory/servicePrincipals/synchronizationCredentials/manage Manage application provisioning secrets and credentials microsoft.directory/servicePrincipals/synchronizationJobs/manage Start, restart, and pause application provisioning synchronization jobs microsoft.directory/servicePrincipals/synchronizationSchema/manage Create and manage application provisioning synchronization jobs and schema microsoft.directory/servicePrincipals/tag/update Update the tag property for service principals microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center