Grant admin consent to a single user

Morgan Harris 6 Reputation points
2019-12-11T05:28:28.747+00:00

There are two things about Azure AD apps that seem to run counter to each other.

  1. The most privileged permissions require admin consent
  2. Admin consent grants a permission implicitly to every user in the organisation

That seems a bit backwards to me. I'm required, as an admin, to say "yes, this is okay" not for just one user, but for everyone? Indeed, for everyone without asking them? If I wanted to grant, say, Directory.ReadWrite.All for a few select users – I can't do that, I have to give that permission to everyone. That seems crazy. Is there really no way to grant admin-consent-requiring permissions to individual users, rather than to everyone?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,685 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,221 Reputation points
    2019-12-11T07:43:40.723+00:00

    @Morgan Harris For this purpose there are Directory Roles. To see all available roles, run below cmdlets:

    1. Connect-msolservice
    2. Get-MsolRole

    You can run below cmdlet to assign Directory Writers role to specific user.

    Add-MsolRoleMember -RoleName "Directory Writers" -RoleMemberObjectId   
    

    You can assign Roles from Azure Portal > Azure AD > Roles and Administrators as well. But all roles are not exposed in portal. If you cannot find the desired role in portal, use the above cmdlets.

    -----------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    No comments

  2. Vasil Michev 61,911 Reputation points Microsoft MVP
    2019-12-11T08:32:06.11+00:00

    I might be missing the point here, but isn't that why we have the Delegate permissions model? Here's a simple example - me granting user-level permissions for the Graph explorer:

    alt text

    The permissions will then be reflected on the corresponding app, just for the user in question. If any other users needs such permissions, another consent is needed. And yes, you will have to use an admin account to consent to each of the users individually, but it's doable. You usually address this via the prompt=admin_consent query parameter: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#admin-consent

    No comments