We have multiple Azure subscriptions.
An admin of one of these has subscriptions created an automation account, with run as privileges.
That run as account in Azure AD has API permissions to Azure Active Directory Graph (as picture) - this requires Admin consent to run.
My question is: If I grant permission on an AD level, does that grant permission for that account on all subscriptions using Azure Active Directory Graph, or only that subscription that the automation account is in?
I'm more concerned about the Application.ReadWrite.All permission
Hope that made sense.