Skip to main content
Version: Insiders
BasicProfessional

Delegate Credential Management to Developers

This guide explains how to safely delegate certificate and secret management to software developers and operators without granting full Entra ID ownership permissions.

Why delegate credential management?

Without delegation:

  • IT teams become a bottleneck for credential renewals
  • Developers wait days or weeks for IT to rotate credentials
  • IT must have intimate knowledge of every application
  • Credentials may expire during off-hours if IT is unavailable

With delegation:

  • Developers manage their own credentials immediately
  • IT maintains oversight and governance
  • Clear audit trails of who changed what
  • Reduced support burden on IT teams

Prerequisites

  • Professional plan - Full features available in both Basic and Professional
  • Admin access - To configure technical owners and permissions
  • Developers/operators - Users who will receive technical owner role
  • Applications identified - Know which apps should have delegated management

Step 1: Identify applications for delegation

Start with applications that will benefit most from delegation:

Good candidates:

  • Developer-owned applications
  • APIs with frequent credential rotation
  • CI/CD service principals
  • Testing and development environments
  • Applications managed by internal teams

Not recommended:

  • Critical production applications (high sensitivity)
  • Third-party integrations (license dependencies)
  • Identity providers (security critical)
  • Applications with compliance requirements

Step 2: Assign technical owners

Add the developers as technical owners on the applications.

Via Manage section:

  1. Go to Admin > Manage
  2. Click on an application
  3. Click the Owners tab
  4. Click Add owner
  5. Select Technical owner
  6. Search for the developer by name or email
  7. Click Add

Via bulk import:

  1. Prepare a CSV with application names/IDs and technical owners
  2. Go to Admin > Manage
  3. Click Import
  4. Upload your file following the import template
  5. Review and confirm the import

Via the App:

  1. Open the EasyLife 365 Identity App
  2. Navigate to the application
  3. Click Owners
  4. Add Technical owner
  5. Select the developer
  6. Click Save

Step 3: Grant credential management permissions

Once assigned as technical owner, grant permissions to manage credentials.

  1. Go to the application details

  2. Click Settings

  3. For the technical owner, enable:

    • Manage certificates and secrets

  4. Click Save

Permission model

These are EasyLife 365 Identity permissions, not Entra ID permissions. Technical owners don't get Entra ID ownership even though they can manage credentials.

Step 4: Set up monitoring

Configure policies to notify technical owners about expiring credentials.

  1. Go to Admin > Policies

  2. Create or modify a policy for developer applications:

    • Minimum technical owner: 1
    • Expiration threshold: 30 days (standard)
    • Notifications: Weekly scan, notify to technical owner

  3. Assign this policy to your developer applications

Now developers will receive notifications about expiring credentials and can renew them without IT involvement.

Step 5: Verify credential management works

Test that developers can successfully manage credentials:

  1. Ask a developer to rotate a test certificate or secret
  2. Verify they can:
    • See the application in the User app
    • Access the Certificates or Secrets section
    • Add or rotate credentials
    • Confirm the change
  3. Verify IT can still see audit logs of the change
Testing
  • Use a non-critical application for testing
  • Have IT verify the change was successful
  • Confirm the developer received notifications

Troubleshooting

Developer can't see the app in the User app

Causes:

  • Not assigned as technical owner yet
  • User app access permissions missing
  • App registration vs. enterprise application mismatch

Solution:

  1. Verify they're listed as technical owner in Admin > Manage
  2. Check they can access the User app
  3. May need to wait for provisioning to sync (up to 1 hour)

Developer can't rotate certificate

Causes:

  • Permission not granted
  • Certificate format issue
  • Key vault access problem

Solution:

  1. Verify "Manage certificates" permission is enabled
  2. Check error message for specifics
  3. Contact support if certificate format issue

Audit log shows unauthorized changes

Causes:

  • Developer account compromised
  • Malicious insider threat
  • Testing by IT team

Solution:

  1. Immediately revoke technical owner role
  2. Investigate the change
  3. Reset developer's password
  4. Audit other changes by this user
  5. Restore previous credential if needed

Common scenarios

Scenario 1: Rotating a certificate

Developer workflow:

  1. Open User app
  2. Find application in "My Applications"
  3. Go to "Certificates" tab
  4. Click "Add new certificate"
  5. Upload new certificate or use Key Vault
  6. Mark old certificate for removal (or keep for period)
  7. Application uses new certificate immediately

Scenario 2: Team transitions

When developer leaves:

  1. Immediately remove as technical owner in Admin > Manage
  2. Applications become non-compliant (if policy requires technical owner)
  3. Application owner is notified
  4. Remaining team members add new technical owner

Scenario 3: Audit compliance

IT auditor needs to verify:

  1. Go to Admin > Manage
  2. Click application > "Activity" or "Audit log"
  3. Filter by technical owner
  4. Export changes for compliance report
  5. Document in compliance package
  • Ownership - Learn about technical owners
  • Tasks - How tasks relate to credential management
  • Notifications - How developers are alerted