This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 48%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
We have multiple Azure subscriptions.
An admin of one of these has subscriptions created an automation account, with run as privileges.
That run as account in Azure AD has API permissions to Azure Active Directory Graph (as picture) - this requires Admin consent to run.
My question is: If I grant permission on an AD level, does that grant permission for that account on all subscriptions using Azure Active Directory Graph, or only that subscription that the automation account is in?
I'm more concerned about the Application.ReadWrite.All permission
Hope that made sense.
Only on the currently selected Azure AD instance. I would be wary granting such permissions though, at minimum try to understand why they are needed.
@Hayward, Darrell
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Thanks for the answer Michev. I agree on the 'be wary' and I'm waiting on them for an answer anyway.
When you say 'the selected Azure AD instance' then that means everything, as we only have only one AD in Azure, for all our subscriptions.