Hello, what ID should we select to set up Enterprise App./Service principle upstream? i.e: Service account ID, admin ID?

Question

Hello,

Some of the cloud solution offers upstream app. registration. We need to elevate Global admin access to join target application and let enterprise application get created upstream? Using our ID for this purpose may not give us visibility of expired PKI or other notification or updates if user that created this app. is no longer working with us. How do we solve this situation? What is the best practice according to Microsoft in similar events? What type of ID is recommended to use?

I would appreciate any reference documentation to support best practice.

Thanks!

Answer 1

Hello @Gajjar, Dipika ,

Thank you for reaching out Microsoft Q&A.

I Understand your need to elevate Global admin access to join target application and let enterprise application get created upstream? Using your ID for this purpose may not give us visibility of expired PKI or other notification or updates if user that created this app. is no longer working with us.

I recommend to use Service accounts for automated use, they're granted permissions to access resources in Azure and Microsoft Entra ID. Resources can include Microsoft 365 services, software as a service (SaaS) applications, custom applications, databases, HR systems, and so on.

For scenarios where elevated access is needed, such as joining a target application, it is advisable to create dedicated emergency access accounts that are permanently assigned the Global Administrator role. This ensures that there are accounts available for critical access without being tied to specific users.

For additional information: https://learn.microsoft.com/en-us/entra/architecture/govern-service-accounts#governing-microsoft-entra-service-accounts

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.