Grant admin consent to a single user

Morgan Harris 6 Reputation points
2019-12-11T05:28:28.747+00:00

There are two things about Azure AD apps that seem to run counter to each other.

  1. The most privileged permissions require admin consent
  2. Admin consent grants a permission implicitly to every user in the organisation

That seems a bit backwards to me. I'm required, as an admin, to say "yes, this is okay" not for just one user, but for everyone? Indeed, for everyone without asking them? If I wanted to grant, say, Directory.ReadWrite.All for a few select users – I can't do that, I have to give that permission to everyone. That seems crazy. Is there really no way to grant admin-consent-requiring permissions to individual users, rather than to everyone?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,100 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2019-12-11T07:43:40.723+00:00

    @Morgan Harris For this purpose there are Directory Roles. To see all available roles, run below cmdlets:

    1. Connect-msolservice
    2. Get-MsolRole

    You can run below cmdlet to assign Directory Writers role to specific user.

    Add-MsolRoleMember -RoleName "Directory Writers" -RoleMemberObjectId   
    

    You can assign Roles from Azure Portal > Azure AD > Roles and Administrators as well. But all roles are not exposed in portal. If you cannot find the desired role in portal, use the above cmdlets.

    -----------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    0 comments No comments

  2. Vasil Michev 92,596 Reputation points MVP
    2019-12-11T08:32:06.11+00:00

    I might be missing the point here, but isn't that why we have the Delegate permissions model? Here's a simple example - me granting user-level permissions for the Graph explorer:

    alt text

    The permissions will then be reflected on the corresponding app, just for the user in question. If any other users needs such permissions, another consent is needed. And yes, you will have to use an admin account to consent to each of the users individually, but it's doable. You usually address this via the prompt=admin_consent query parameter: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#admin-consent

    0 comments No comments