Application Administrators

Application administrators are users who have full management rights for an application in AZExecute. This multi-owner model allows you to distribute application management responsibilities across your team while maintaining proper access control and audit trails.

Administrator vs. Viewer Access

AZExecute implements a two-tier access model for applications:

Administrator Access

Users listed as application administrators have full management rights:

Configure secret rotation settings and integrations

Manage certificate lifecycle and Key Vault integration

Manually trigger secret or certificate rotation

Add or remove other administrators

Review and approve incoming permission requests

Create permission requests to other applications

Change application state (Active, Disabled, Deleted)

View application logs and execution history

Viewer Access (Read-Only)

Users who are not administrators can still view applications if "Show All Applications" is enabled by tenant administrators:

View application configuration (secrets tab, certificates tab)

View permissions, scopes, and app roles

See who the administrators are

Cannot make any configuration changes

Cannot trigger rotations or access sensitive data

Can request to become an administrator

Visibility Note: If "Show All Applications" is disabled, users can only see applications where they are listed as administrators. Tenant administrators can always see all applications.

Adding Administrators

There are two ways to add administrators to applications:

Method 1: From Application Details

1. Navigate to your application's details page

2. Go to the General tab

3. Scroll to the Application Administrators section

4. Click Add Administrator

5. Search for and select the user to add

6. Click Add to confirm

Method 2: Bulk Add from Applications List

Add the same administrator to multiple applications at once:

1. Navigate to the Applications list page

2. Select multiple applications using the checkboxes

3. Click Add app admin button (appears when applications are selected)

4. Search for and select the user

5. User is added as administrator to all selected applications

Efficiency Tip: Use bulk add when onboarding new team members or reorganizing application ownership across multiple apps.

Removing Administrators

To remove an administrator from an application:

1. Navigate to the application's General tab

2. Find the administrator in the Application Administrators section

3. Click the Remove button next to their name

4. Confirm the removal

5. User immediately loses administrator access

Important: An application must have at least one administrator. You cannot remove the last administrator. Add another administrator first before removing the current one.

Self-Service Limitation: You can remove yourself as an administrator, but only if there's at least one other administrator. This prevents accidentally orphaning applications.

Requesting Administrator Access

Users who have viewer access can request to become administrators through a formal approval workflow:

Creating an Access Request

1. Navigate to the application you want to manage

2. You'll see a read-only warning banner at the top

3. Click Request Access button in the applications list

4. Provide justification for why you need administrator access

5. Submit the request

Approval Process

1

Request Submitted

Your request is sent to all current application administrators

2

Email Notification

Administrators receive email with your justification and link to review

3

Administrator Review

Any administrator can approve or deny your request

4

Approval/Denial

You receive email notification of the decision with any comments

5

Access Granted (if approved)

You're automatically added as administrator with immediate access

Request Status

While your request is pending, the application shows:

• A "Pending" badge instead of the "Request Access" button

• You cannot submit duplicate requests while one is pending

• You still have read-only access during the review period

Tip: Provide detailed justification explaining your role, responsibilities, and specific tasks you need to perform. This helps administrators make informed approval decisions.

Managing Access Requests (For Administrators)

As an application administrator, you can review and process administrator access requests:

Viewing Pending Requests

Pending access requests are shown in multiple places:

Email notifications when requests are submitted

Warning banner on application General tab if pending requests exist

Administrator section shows count of pending requests

Approving Requests

1. Navigate to the application's General tab

2. Review the pending request details (user, justification, date)

3. Click Approve on the request

4. Optionally add a comment for the requester

5. User is immediately added as administrator

Denying Requests

1. Click Deny on the request

2. Provide a reason for denial (shown to requester)

3. Consider providing guidance or alternative solutions

4. Requester receives email with your decision and comments

Automatic Assignment During Import

When you import an application into AZExecute, you're automatically added as the first administrator:

Direct Import: You become the sole administrator immediately

Request-Based Import: You become administrator when the request is approved

Best Practice: Add other team members as administrators shortly after import to ensure continuity if you leave the organization or change roles.

Best Practices

Maintain at least two administrators per application

Ensures continuity if one administrator is unavailable or leaves the organization

Add administrators from the same team

Administrators should understand the application's purpose and requirements

Review access requests promptly

Respond within 24-48 hours to avoid blocking team members' work

Periodically review administrator list

Remove administrators who have left the team or changed responsibilities

Use bulk add for new team members

When onboarding, add the person to all relevant applications at once

Provide helpful denial reasons

When denying access requests, explain why and suggest alternatives if appropriate

Consider view-only access when appropriate

Not everyone needs administrator rights - viewer access may be sufficient for some users

Tenant Administrator Capabilities

Users with the Tenant Administrator role have special capabilities:

View all applications regardless of administrator list or "Show All Applications" setting

Full management rights to all applications without being listed as administrator

Add/remove administrators from any application

Recover orphaned applications by adding administrators if all were removed

Configure "Show All Applications" setting that controls viewer access

Note: Tenant Administrator is a powerful role. Assign it only to users who need organization-wide application management capabilities.

If you encounter any issues or need further assistance, please contact us at

info@azexecute.com

. Our support team is here to help you.