Good news, new Azure AD delegated management roles are available in preview:

  • Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access.
  • Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access).
  • Enterprise Application Owner: This role grants the ability to manage ‘owned’ enterprise applications, including SSO settings, user and group assignments, and adding additional owners. It does not grant the ability to manage Application Proxy settings or conditional access.
  • Application Registration Owner: This role was previously available and grants the ability to manage ‘owned’ application registrations, including the application manifest and adding additional owners.
  • Application Developer: This role grants the ability to create application registrations when the ‘Users can register applications’ switch is set to No. Application Developers can also consent for themselves when the ‘users can consent to applications accessing company data on their behalf’ switch is set to No. When an Application Developer creates a new application registration, they are automatically added as the first owner.

You can delegate these administrator roles from the Azure AD portal either using the Directory role option from the User account or using Privileged Identity Management and these owner roles from each individual application by setting the Owner

image

Regarding the Application Developer this will help you ‘lock down’ and control who is authorized to register application.

You need first to set to No the option “Users can register applications” (if not yet set

You can do/check by accessing your Azure AD User Settings configuration blade and set to No the option

image

Then you have to grant the Application Developer role the same way than for the administrators (see above)