question

MorganHarris-7632 avatar image
0 Votes"
MorganHarris-7632 asked ·

Grant admin consent to a single user

There are two things about Azure AD apps that seem to run counter to each other.

  1. The most privileged permissions require admin consent

  2. Admin consent grants a permission implicitly to every user in the organisation

That seems a bit backwards to me. I'm required, as an admin, to say "yes, this is okay" not for just one user, but for everyone? Indeed, for everyone without asking them? If I wanted to grant, say, Directory.ReadWrite.All for a few select users – I can't do that, I have to give that permission to everyone. That seems crazy. Is there really no way to grant admin-consent-requiring permissions to individual users, rather than to everyone?

azure-active-directoryazure-ad-authentication
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I think you could give consent through PowerShell with the AzureAD module. You'll need to connect with your admin account and create the OAuth2PermissionGrants for each user manually.

0 Votes 0 · ·

Using PowerShell you can only Get and Remove OAuth2PermissionGrants but not set or add.

0 Votes 0 · ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@MorganHarris-7632 For this purpose there are Directory Roles. To see all available roles, run below cmdlets:

  1. Connect-msolservice

  2. Get-MsolRole

You can run below cmdlet to assign Directory Writers role to specific user.

 Add-MsolRoleMember -RoleName "Directory Writers" -RoleMemberObjectId 

You can assign Roles from Azure Portal > Azure AD > Roles and Administrators as well. But all roles are not exposed in portal. If you cannot find the desired role in portal, use the above cmdlets.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.










· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

I might be missing the point here, but isn't that why we have the Delegate permissions model? Here's a simple example - me granting user-level permissions for the Graph explorer:

alt text



The permissions will then be reflected on the corresponding app, just for the user in question. If any other users needs such permissions, another consent is needed. And yes, you will have to use an admin account to consent to each of the users individually, but it's doable. You usually address this via the prompt=admin_consent query parameter: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#admin-consent


graphexplorer1.png (25.5 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.