Authentication Issue using Graph API's and read only scopes

John Suehr 1 Reputation point

Customers want to authroize an app with Application Administrator or Global Reader permissions, however, can only authenticate with Global Admin,
Can somone confirm that using Graph API's you must have global admin credentials to authenticate an appication?
Also- can we can we authenticate with Global Admin (which we need to as part of the app registration), and then dial it down to Global Reader.
It looks like once the global admin authenticates, then Global Reader and Application Administrators can then authenticate- but the first authentication must be done by the global admin.
Application Administrator

Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.

Application Administrators can manage application credentials that allows them to impersonate the application. So, users assigned to this role can manage application credentials of only those applications that are either not assigned to any Azure AD roles or those assigned to following admin roles only:

Here is what is in the documentation

Application Administrator
Application Developer
Cloud Application Administrator
Directory Readers

If an application is assigned to any other role that are not mentioned above, then Application Administrator cannot manage credentials of that application.

This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph API.


This exception means that you can still consent to permissions for other apps (e.g. third party apps or apps that you have registered), but not to permissions on Azure AD itself. You can still request these permissions as part of the app registration, but granting (i.e. consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,143 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,206 Reputation points MVP

    IT depends on the type of permissions requested by the app, if admin consent is required for any of those, GA will be required, typically.

    0 comments No comments