Application.ReadWrite.OwnedBy

Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user.  It cannot update any apps that it is not an owner of.

The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All but only on applications and service principals that the calling app is an owner of.

The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications and GET /servicePrincipals endpoints to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Application.ReadWrite.OwnedBy permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	18a4783c-866b-4cc7-a460-3d5e5662c884	-
DisplayText	Manage apps that this app creates or owns	-
Description	Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user.  It cannot update any apps that it is not an owner of.	-
AdminConsentRequired	-	-

Graph Methods

• API [v1.0]
• API [beta]
• PowerShell [v1.0]
• PowerShell [beta]

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /applications(appId='{appId}')
	DELETE /applications(appId='{appId}')/extensionProperties/{extensionPropertyId}
	DELETE /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
	DELETE /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
	DELETE /applications(appId='{appId}')/owners/{id}/$ref
	DELETE /applications(appId='{appId}')/tokenIssuancePolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /applications(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /applications/{application ObjectId}/extensionProperties/{extensionPropertyId}
	DELETE /applications/{applicationObjectId}
	DELETE /applications/{applicationObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
	DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
	DELETE /applications/{id}/owners/{id}/$ref
	DELETE /applications/{id}/synchronization/templates/{templateId}/schema
	DELETE /applications/{id}/tokenIssuancePolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /directory/deletedItems/{id}
	DELETE /servicePrincipals(appId='{appId}')
	DELETE /servicePrincipals(appId='{appId}')/claimsMappingPolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /servicePrincipals(appId='{appId}')/owners/{id}/$ref
	DELETE /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	DELETE /servicePrincipals/{id}
	DELETE /servicePrincipals/{id}/claimsMappingPolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /servicePrincipals/{id}/homeRealmDiscoveryPolicies/{id}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	DELETE /serviceprincipals/{id}/owners/{id}/$ref
	DELETE /servicePrincipals/{id}/synchronization/jobs/{jobId}/
	DELETE /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema
	DELETE /servicePrincipals/{servicePrincipalObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	DELETE /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}/$ref
	GET /applications
	GET /applications(appId='{appId}')
	GET /applications(appId='{appId}')/extensionProperties
	GET /applications(appId='{appId}')/extensionProperties/{extensionPropertyId}
	GET /applications(appId='{appId}')/federatedIdentityCredentials
	GET /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
	GET /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
	GET /applications(appId='{appId}')/owners
	GET /applications(appId='{appId}')/tokenIssuancePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /applications(appId='{appId}')/tokenLifetimePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /applications/{application ObjectId}/extensionProperties
	GET /applications/{application ObjectId}/extensionProperties/{extensionPropertyId}
	GET /applications/{applicationObjectId}
	GET /applications/{id}/federatedIdentityCredentials
	GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
	GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
	GET /applications/{id}/owners
	GET /applications/{id}/synchronization/templates/{templateId}/schema
	GET /applications/{id}/synchronization/templates/{templateId}/schema/filterOperators
	GET /applications/{id}/synchronization/templates/{templateId}/schema/functions
	GET /applications/{id}/tokenIssuancePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /applications/{id}/tokenLifetimePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /applications/delta
	GET /servicePrincipals
	GET /servicePrincipals(appId='{appId}')
	GET /servicePrincipals(appId='{appId}')/appRoleAssignedTo
	GET /servicePrincipals(appId='{appId}')/appRoleAssignments
	GET /servicePrincipals(appId='{appId}')/claimsMappingPolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /servicePrincipals(appId='{appId}')/delegatedPermissionClassifications
	GET /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /servicePrincipals(appId='{appId}')/memberOf
	GET /servicePrincipals(appId='{appId}')/ownedObjects
	GET /servicePrincipals(appId='{appId}')/owners
	GET /servicePrincipals(appId='{appId}')/tokenLifetimePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	GET /servicePrincipals/{id}
	GET /servicePrincipals/{id}/appRoleAssignedTo
	GET /servicePrincipals/{id}/appRoleAssignments
	GET /servicePrincipals/{id}/claimsMappingPolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /servicePrincipals/{id}/delegatedPermissionClassifications
	GET /servicePrincipals/{id}/homeRealmDiscoveryPolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	GET /servicePrincipals/{id}/memberOf
	GET /servicePrincipals/{id}/ownedObjects
	GET /servicePrincipals/{id}/owners
	GET /servicePrincipals/{id}/synchronization/jobs/
	GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/
	GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema
	GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema/filterOperators
	GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema/functions
	GET /servicePrincipals/{id}/synchronization/templates/{templateId}/schema
	GET /servicePrincipals/{id}/synchronization/templates/{templateId}/schema/filterOperators
	GET /servicePrincipals/{id}/synchronization/templates/{templateId}/schema/functions
	GET /servicePrincipals/{id}/tokenLifetimePolicies Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration
	GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups
	GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}
	GET /servicePrincipals/delta
	GET applications/{id}/synchronization/templates
	GET applications/{id}/synchronization/templates/{templateId}
	GET servicePrincipals/{id}/synchronization/templates
	GET servicePrincipals/{id}/synchronization/templates/{templateId}
	PATCH /applications(appId='{appId}')
	PATCH /applications(appId='{appId}')/federatedIdentityCredentials(name='{name}')
	PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
	PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
	PATCH /applications(uniqueName='{uniqueName}')
	PATCH /applications/{applicationObjectId}
	PATCH /applications/{id}/federatedIdentityCredentials(name='{name}')
	PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
	PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
	PATCH /servicePrincipals(appId='{appId}')
	PATCH /servicePrincipals(appId='appId')
	PATCH /servicePrincipals/{id}
	PATCH /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}
	PATCH applications/{id}/synchronization/templates/{templateId}
	POST /applications
	POST /applications(appId='{appId}')/addKey
	POST /applications(appId='{appId}')/addPassword
	POST /applications(appId='{appId}')/extensionProperties
	POST /applications(appId='{appId}')/federatedIdentityCredentials
	POST /applications(appId='{appId}')/owners/$ref Application.ReadWrite.OwnedBy and Directory.Read.All
	POST /applications(appId='{appId}')/removeKey
	POST /applications(appId='{appId}')/removePassword
	POST /applications(appId='{appId}')/tokenIssuancePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /applications(appId='{appId}')/tokenLifetimePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /applications/{application ObjectId}/extensionProperties
	POST /applications/{applicationsId}/synchronization/acquireAccessToken
	POST /applications/{id}/addKey
	POST /applications/{id}/addPassword
	POST /applications/{id}/federatedIdentityCredentials
	POST /applications/{id}/owners/$ref Application.ReadWrite.OwnedBy and Directory.Read.All
	POST /applications/{id}/removeKey
	POST /applications/{id}/removePassword
	POST /applications/{id}/tokenIssuancePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /applications/{id}/tokenLifetimePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /applicationTemplates/{applicationTemplate-id}/instantiate
	POST /directory/deletedItems/{id}/restore
	POST /servicePrincipals
	POST /servicePrincipals(appId='{appId}')/addKey
	POST /servicePrincipals(appId='{appId}')/addPassword
	POST /servicePrincipals(appId='{appId}')/addTokenSigningCertificate
	POST /servicePrincipals(appId='{appId}')/claimsMappingPolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /servicePrincipals(appId='{appId}')/owners/$ref Application.ReadWrite.OwnedBy and Directory.Read.All
	POST /servicePrincipals(appId='{appId}')/removeKey
	POST /servicePrincipals(appId='{appId}')/removePassword
	POST /servicePrincipals(appId='{appId}')/synchronization/jobs/{jobId}/restart
	POST /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	POST /serviceprincipals/{id}/addKey
	POST /servicePrincipals/{id}/addPassword
	POST /servicePrincipals/{id}/addTokenSigningCertificate
	POST /servicePrincipals/{id}/claimsMappingPolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /servicePrincipals/{id}/homeRealmDiscoveryPolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration
	POST /servicePrincipals/{id}/owners/$ref Application.ReadWrite.OwnedBy and Directory.Read.All
	POST /serviceprincipals/{id}/removeKey
	POST /servicePrincipals/{id}/removePassword
	POST /servicePrincipals/{id}/synchronization/jobs/
	POST /servicePrincipals/{id}/synchronization/jobs/{id}/schema/parseExpression
	POST /servicePrincipals/{id}/synchronization/jobs/{id}/validateCredentials
	POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/pause
	POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema/directories/{directoryId}/discover
	POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/start
	POST /servicePrincipals/{id}/synchronization/templates/{id}/schema/parseExpression
	POST /servicePrincipals/{id}/tokenLifetimePolicies/$ref Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	POST /servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}/restart
	POST /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration
	POST /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups
	POST /servicePrincipals/{servicePrincipalsId}/synchronization/acquireAccessToken
	POST /servicePrincipals/{servicePrincipalsId}/synchronization/jobs/{synchronizationJobId}/provisionOnDemand
	PUT /applications/{id}/synchronization/templates/{templateId}/schema
	PUT /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema
	PUT /servicePrincipals/{id}/synchronization/secrets

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

• addIn
• administrativeUnit
• apiApplication
• application
• applicationServicePrincipal
• applicationTemplate
• appRole
• appRoleAssignment
• certificateAuthorityDetail
• certificateBasedAuthPki
• claimsMappingPolicy
• customSecurityAttributeValue
• delegatedPermissionClassification
• directory
• directoryObject
• extensionproperty
• externalUserProfile
• federatedIdentityCredential
• group
• homeRealmDiscoveryPolicy
• informationalUrl
• keyCredential
• onPremisesPublishing
• parentalControlSettings
• passwordCredential
• passwordSingleSignOnCredentialSet
• pendingExternalUserProfile
• publicClientApplication
• remoteDesktopSecurityConfiguration
• requiredResourceAccess
• samlSingleSignOnSettings
• selfSignedCertificate
• servicePrincipal
• spaApplication
• attributeDefinition
• attributeMappingFunctionSchema
• attributeMappingSource
• directoryDefinition
• expressionInputObject
• filter
• filterOperatorSchema
• parseExpressionResponse
• synchronizationJob
• synchronizationJobApplicationParameters
• synchronizationJobRestartCriteria
• synchronizationSchema
• synchronizationSecretKeyStringValuePair
• synchronizationTemplate
• targetDeviceGroup
• tokenIssuancePolicy
• tokenLifetimePolicy
• user
• webApplication
• windowsApplication

Graph reference: addIn

Property	Type	Description
id	GUID	The unique identifier for the addIn object.
properties	keyValue collection	The collection of key-value pairs that define parameters that the consuming service can use or call. You must specify this property when performing a POST or a PATCH operation on the addIns collection. Required.
type	string	The unique name for the functionality exposed by the app.