question

HaywardDarrell-5451 avatar image
0 Votes"
HaywardDarrell-5451 asked ·

Azure Automation account admin consent for API issue

We have multiple Azure subscriptions.

An admin of one of these has subscriptions created an automation account, with run as privileges.

That run as account in Azure AD has API permissions to Azure Active Directory Graph (as picture) - this requires Admin consent to run.

My question is: If I grant permission on an AD level, does that grant permission for that account on all subscriptions using Azure Active Directory Graph, or only that subscription that the automation account is in?

I'm more concerned about the Application.ReadWrite.All permission

74874-2021-03-05-17-12-02-window.png

Hope that made sense.



azure-ad-graphazure-api-managementazure-automationazure-ad-app-consent
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
1 Vote"
michev answered ·

Only on the currently selected Azure AD instance. I would be wary granting such permissions though, at minimum try to understand why they are needed.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HaywardDarrell-5451
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Thanks for the answer Michev. I agree on the 'be wary' and I'm waiting on them for an answer anyway.

When you say 'the selected Azure AD instance' then that means everything, as we only have only one AD in Azure, for all our subscriptions.

0 Votes 0 ·