SOLVED
Home

Azure AD role to permit non global admins to "grant permissions" to Read Directory Data in their app

%3CLINGO-SUB%20id%3D%22lingo-sub-286858%22%20slang%3D%22en-US%22%3EAzure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Data%20in%20their%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286858%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EWe%20have%20a%20subscription%20tied%20to%20our%20Azure%20tenant%20and%20have%20developers%20writing%20apps%20there.%26nbsp%3B%20When%20they%20are%20setting%20up%20the%20app%20registration%20in%20Azure%2C%20they%20have%20to%20wander%20over%20to%20the%20global%20admin%20team%20and%20ask%20us%20to%20click%20the%20%22grant%20permissions%22%20button%20to%20enable%20access%20to%20'Read%20directory%20data'%20for%20their%20app.%26nbsp%3B%20Is%20there%20an%20Azure%20role%20that%20we%20can%20put%20those%20developers%20in%20for%20them%26nbsp%3Bto%20be%20able%20to%20'Grant%20Permissions'%20for%20Reading%20Azure%20AD%20directory%20data%20for%20their%20app%3F%26nbsp%3B%20Or%20does%20the%20role%20%22global%20admin%22%20only%20provide%20that%20ability%3F%26nbsp%3B%20There%20is%20a%20complaint%20that%20this%20step%20of%20involving%20the%20global%20admins%20is%20tedious%20and%20time%20consuming%20to%26nbsp%3Bfind%20someone%20to%26nbsp%3Bgrant%20perms%20on%20a%20timely%20basis%26nbsp%3B(and%20our%20GA%20users%20are%20sparse).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20played%20around%20with%20application%20administrator%2C%20application%20developer%2C%20cloud%20application%20admin%20roles%2C%20but%20none%20of%20those%20worked.%26nbsp%3B%20Unless%20as%20they%20develop%20their%20app%20they%20have%20to%20do%20something%20special%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20advice%2C%20suggestions%2C%20resolutions.%3C%2FP%3E%3CP%3EGina%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-286858%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288961%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Dat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288961%22%20slang%3D%22en-US%22%3EOkay%2C%20thanks%20for%20the%20info!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287008%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Dat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287008%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Gina%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20there%20is%20no%20method%20available%20to%20allow%20a%20particular%20user%20to%20give%20consent%20to%20applications%20apart%20from%20GA%20as%20this%20is%20a%20change%20that%20happens%20at%20the%20directory%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gina Komoroske
New Contributor

Hello,

We have a subscription tied to our Azure tenant and have developers writing apps there.  When they are setting up the app registration in Azure, they have to wander over to the global admin team and ask us to click the "grant permissions" button to enable access to 'Read directory data' for their app.  Is there an Azure role that we can put those developers in for them to be able to 'Grant Permissions' for Reading Azure AD directory data for their app?  Or does the role "global admin" only provide that ability?  There is a complaint that this step of involving the global admins is tedious and time consuming to find someone to grant perms on a timely basis (and our GA users are sparse). 

 

I've played around with application administrator, application developer, cloud application admin roles, but none of those worked.  Unless as they develop their app they have to do something special?

 

Thanks in advance for any advice, suggestions, resolutions.

Gina

2 Replies
Solution

Hello Gina, 

 

Currently there is no method available to allow a particular user to give consent to applications apart from GA as this is a change that happens at the directory level.

 

Regards,

Rishabh 

 

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies