SPNRoleMgr - Manage service principal API permissions

Connect to your tenant

SPNRoleMgr runs entirely in your browser. It signs you in with Microsoft (PKCE) and queries Microsoft Graph as you. No backend, no telemetry, no data leaves your browser.

Required delegated permissions:

Application.Read.All - list service principals and the API surfaces they consume
Directory.Read.All - resolve owners and other directory metadata
User.Read - sign-in identity
AppRoleAssignment.ReadWrite.All (only when you actually save changes)
DelegatedPermissionGrant.ReadWrite.All (only when you actually save changes)

To grant tenant-wide application permissions or delegated grants for all users, your account also needs a privileged role: Privileged Role Administrator, Cloud Application Administrator, Application Administrator or Global Administrator. Without one of these, Graph will return 403 on save.

Service principals

Display name	Type	AppId	Publisher	Enabled	Action

Application permissions

These are tenant-wide app roles granted to this service principal. They allow the SPN to act without a signed-in user.

API	Permission	Description	Granted

Delegated permissions

Delegated grants tied to a signed-in user. AllPrincipals means the grant covers every user in the tenant; Principal is a single-user consent.

API	Scope(s)	Consent type	Principal

Add permission

API:

Application permissions Delegated permissions

	Permission	Type	Description

0 permission(s) selected

Debug log

Verbose

About SPNRoleMgr

SPNRoleMgr is part of the LCToolkit by Lieben Consultancy. It lets you inspect and modify the API permissions of any service principal or managed identity in your tenant. The user interface mimics the "Add a permission" experience on Entra app registrations, but works for SPNs that have no app registration in your tenant (managed identities, federated apps, multi-tenant apps).

What it can do

Browse every service principal in the tenant with quick filters for type and Microsoft first-party.
For a chosen SPN, list both application permissions (appRoleAssignments) and delegated grants (oauth2PermissionGrants) it currently has.
Revoke any single permission (per-permission delete, not per-API).
Pick any API exposed in the tenant (Microsoft Graph, SharePoint, Exchange, Azure-Storage, third-party APIs you've consented to, etc.) and grant either application or delegated permissions on it.

How it works

Listing SPNs: GET /servicePrincipals?$top=999 with ConsistencyLevel: eventual for max throughput.
Listing permissions: GET /servicePrincipals/{id}/appRoleAssignments + GET /servicePrincipals/{id}/oauth2PermissionGrants in parallel.
Resolving names: when an assignment points at a resource SPN we don't have cached, we look up GET /servicePrincipals/{resourceId} to translate the role/scope GUID into a human-readable name.
Granting: for application permissions we POST to /servicePrincipals/{spId}/appRoleAssignments with {principalId, resourceId, appRoleId}. For delegated, we look for an existing oauth2PermissionGrants entry with the same client+resource+consentType and PATCH its scope string; if none exists we POST a new one with consentType=AllPrincipals.
Revoking: DELETE on the assignment or grant id; for delegated, if removing the last scope from a grant we delete the grant entirely.

What it does NOT do

It does not change the application's own published API surface (i.e. it doesn't edit the resource SPN's appRoles or oauth2PermissionScopes). To do that, edit the underlying app registration in Entra.
It does not assign Entra directory roles (Global Admin, Reader, etc.). Use Entra for that.
It does not configure Conditional Access, app authentication policies, or password/certificate credentials.

Required permissions

Read-only browsing only needs Application.Read.All + Directory.Read.All. The first time you save a change SPNRoleMgr asks for AppRoleAssignment.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All. Granting tenant-wide also requires you to hold a privileged Entra role (Privileged Role Admin, Cloud App Admin, Application Admin or Global Admin); without one, Graph returns 403 on the save.