Share via

Custom Azure AD Role to grant the admin consent for the tenant in API permission in App Registration

surindersingh dhaliwal 86 Reputation points
2023-03-22T11:14:18.5633333+00:00

Hello ,

Currently we have a built Azure AD roles which can use to grant the admin consent in API permission in App Registrations(Global Administrator/Privileged Role Administrator).

Both roles has the Highest privileges so need to create the custom role which can do only below function

Grant the admin consent for tenant in API permission in App Registrations

Any help would be appreciated

Thanks in advanced

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 123.6K Reputation points MVP Volunteer Moderator
    2023-03-22T11:18:19.1+00:00

    This depends on the type of permissions you need to consent to, generally speaking only Delegate permissions can be handled by less privileged roles. Refer to the table below from the official documentation: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task#enterprise-applications
    Task Least privileged role Additional roles
    Consent to any delegated permissions Cloud Application Administrator Application Administrator
    Consent to application permissions not including Microsoft Graph Cloud Application Administrator Application Administrator
    Consent to application permissions to Microsoft Graph Privileged Role Administrator
    Consent to applications accessing own data Default user role
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.