question

JohnSuehr-6985 avatar image
0 Votes"
JohnSuehr-6985 asked ·

Authentication Issue using Graph API's and read only scopes

Customers want to authroize an app with Application Administrator or Global Reader permissions, however, can only authenticate with Global Admin,
Can somone confirm that using Graph API's you must have global admin credentials to authenticate an appication?
Also- can we can we authenticate with Global Admin (which we need to as part of the app registration), and then dial it down to Global Reader.
It looks like once the global admin authenticates, then Global Reader and Application Administrators can then authenticate- but the first authentication must be done by the global admin.
Application Administrator

Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

Application Administrators can manage application credentials that allows them to impersonate the application. So, users assigned to this role can manage application credentials of only those applications that are either not assigned to any Azure AD roles or those assigned to following admin roles only:

Here is what is in the documentation

Application Administrator
Application Developer
Cloud Application Administrator
Directory Readers


If an application is assigned to any other role that are not mentioned above, then Application Administrator cannot manage credentials of that application.

This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph API.


Important

This exception means that you can still consent to permissions for other apps (e.g. third party apps or apps that you have registered), but not to permissions on Azure AD itself. You can still request these permissions as part of the app registration, but granting (i.e. consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered ·

IT depends on the type of permissions requested by the app, if admin consent is required for any of those, GA will be required, typically.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.