Grant admin consent for AD application(its Application permissions not delegated )

vasudeva reddy 41 Reputation points
2021-03-01T10:58:44.3+00:00

Hi Team,

We are automating for granting admin consent for azure AD application.

When ever user creating any application and add graph permissions(its application permissions not delegated), we are going to automate granting admin permissions(FYI we are approving only few permissions not all, there is a check in out script if the permission is matches then only it will grant admin consent)

Now currently based on research required global admin to approve the grant since its application permissions, now what we need is there any possibility to create any directory custom role to approve the same, we want to avoid using global admin for this.

Please suggest if any one have idea on what permissions required for custom role to approve admin grant for application permissions

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,666 Reputation points MVP
    2021-03-01T13:30:25.04+00:00

    Some permissions can be consented only by Global admin or Privileged auth admin, there's no avoiding that: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
    For others, you can configure custom consent policies or use "lower" roles: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-app-consent-policies