Custom Role To Allow Granting Admin Consent to Any App Registration

Jamie Brandwood 131

how can you have users with the Application Administrator role, but also allow them to Grant Admin Consent to any Application Permissions?

My initial plan was to simply create a Custom Role with 'microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin' and assign along side the Application Administrator role. But this isn't enough ... 'Grant Admin Consent for ***' is still greyed out.

Appreciate the Privileged Role Administrator role could be granted to allow this, But ideally we would like details of the Role Permissions that would be sufficient to grant just the Admin Consent capability.

If anyone has this level of detail it would be greatly appreciated. Many thanks.

JamesTran-MSFT 36,476 Reputation points Microsoft Employee

2024-02-08T23:29:40.01+00:00

@Jamie Brandwood
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Marilee Turscak-MSFT 34,631 Reputation points Microsoft Employee

2024-02-03T00:20:10.2633333+00:00
@Jamie Brandwood

The custom directory role needs to include the permission to grant permissions to applications, as noted in the prerequisites. There appears to be a current issue with the Graph Powershell cmdlet and the 'delegated, application' permission type. These need to be included in the app consent policy in order for the user to grant the admin consent. I have reached out to the engineering team to confirm about this issue, as I am also seeing the same behavior and it doesn't appear to be documented. You need to use the following settings to grant both delegated and application consent:

New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "delegated " -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "application" -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies?pivots=ms-powershell

(The current logic expects these to be granted separately, which is why you need the two separate commands.)

By design the Global admin can see an additional control on the traditional consent prompt that will allow to granting consent on behalf of the entire tenant. https://learn.microsoft.com/en-us/entra/identity-platform/application-consent-experience#common-scenarios-and-consent-experiences

When you assign the custom role, you can consent on behalf of a single user by Powershell, workflow consent, or MS Graph. For the app registration you need the additional permissions to Grant Admin consent, but these cannot be added to a custom role by design.

Users with the "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin" permission should be able to grant admin consent on behalf of all, but it looks like this may only grant permission on behalf of the single user and there is the additional step required to grant the delegated and app permissions in the app consent policy via New-MgPolicyPermissionGrantPolicyInclude .

Let me know if this helps and I will also update this thread when I have more information from the engineering team. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions#granting-permissions-to-apps-on-behalf-of-all-admin-consent
Please sign in to rate this answer.
Jamie Brandwood 131 Reputation points

2024-02-05T14:13:28.2366667+00:00

emptying to remove duplicate comment :-)

Jamie Brandwood 131 Reputation points

2024-02-05T14:27:46.4966667+00:00

thanks for the feedback, let me add some additional context and expectations, i have a user which has been assigned the Application Administrator role which as per the documentation 'for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions).' and as documented is working as such.

i wanted to expand these users so they can admin consent via the Entra portal for all API permissions: therefor have created a custom role named 'Application Administrator Admin Consent' and via the Microsoft Graph PowerShell module grated 'microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin' because my understanding again as per documentation was that microsoft.directory/servicePrincipals/managePermissionGrantsForAll would "Grants the permission to consent to apps on behalf of all (tenant-wide admin consent), subject to app consent policy {id}." and the id being microsoft-company-admin which seems to allign with the expected permissions: yet still when this new additional role is assigned and an application permission from Microsoft Graph is assigned the 'Grant admin consent' button is still greyed out. I know i can assign the 'Privileged Role Administrator' role to handle this but wanted to use only the subset of permissions required for my particular need.

Marilee Turscak-MSFT 34,631 Reputation points Microsoft Employee

2024-02-05T22:36:39.7033333+00:00

I have seen the same reported by the engineering team since there seems to still be a limitation with the custom permissions.

Based on my understanding you may need to add the following to the policy in addition to the "managePermissionGrantsForAll" permission:

New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "delegated " -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false

New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "application" -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false

This is due to the issue with the cmdlet, though I'm still waiting on engineering to confirm if this issue persists.

You can also check if the custom role can grant the permissions via Azure CLI to overcome the UI limitation.

Riham anes 0 Reputation points

2024-05-13T12:04:36.42+00:00

I have the same problem. I want to create a custom role to be granted to exchange admins in addition to exchange admin role and application administrator role to allow them to grant Admin consent for mail graph application permissions of applications to be able to read/write mails. But the button is still dimmed. I used the below script

#install graph cmd modules Install-Module Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Identity.Governance -Scope CurrentUser Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes @( "Policy.ReadWrite.PermissionGrant" # For creating a permission grant policy "RoleManagement.ReadWrite.Directory" # For creating and assigning a directory role "Application.Read.All" # For retrieving service principals "Policy.Read.PermissionGrant,Policy.ReadWrite.PermissionGrant" ) #Create a new empty app consent policy. $params = @{ id = "my-custom-consent-policy" displayName = "Custom application consent policy" description = "A custom permission grant policy to customize conditions for granting consent for graph permissions." } New-MgPolicyPermissionGrantPolicy -BodyParameter $params # Include PolicyPermissionGrantPolicy New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "my-custom-consent-policy" -PermissionType "delegated " -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false -ClientApplicationTenantIds <tenantID> New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "my-custom-consent-policy" -PermissionType "application" -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false -ClientApplicationTenantIds "<tenantID> #create New custom role. # Basic role information $displayName = "Application Administrator with Privilege" $description = "Can manage application registrations and grant admin consent, it is a temporary role" $templateId = (New-Guid).Guid # Set of permissions to grant $allowedResourceAction = @( "microsoft.directory/applications/basic/update" "microsoft.directory/applications/credentials/update" 'microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin' 'microsoft.directory/permissionGrantPolicies/standard/read' 'microsoft.directory/permissionGrantPolicies/basic/update' 'microsoft.directory/permissionGrantPolicies/create' 'microsoft.directory/permissionGrantPolicies/delete' "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.my-custom-consent-policy" "microsoft.directory/applications/permissions/update" "microsoft.directory/servicePrincipals/permissions/update" "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-company-admin" "microsoft.directory/servicePrincipals/policies/read" ) $rolePermissions = @(@{AllowedResourceActions= $allowedResourceAction}) # Create new custom admin role $customAdmin = New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -IsEnabled -Description $description -TemplateId $templateId

Riham anes 0 Reputation points

2024-05-13T12:06:49.4333333+00:00

grant admin consent dimmed
Sign in to comment

Share via

Custom Role To Allow Granting Admin Consent to Any App Registration

1 answer