SOLVED
Home

Azure AD role to permit non global admins to "grant permissions" to Read Directory Data in their app

%3CLINGO-SUB%20id%3D%22lingo-sub-286858%22%20slang%3D%22en-US%22%3EAzure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Data%20in%20their%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286858%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EWe%20have%20a%20subscription%20tied%20to%20our%20Azure%20tenant%20and%20have%20developers%20writing%20apps%20there.%26nbsp%3B%20When%20they%20are%20setting%20up%20the%20app%20registration%20in%20Azure%2C%20they%20have%20to%20wander%20over%20to%20the%20global%20admin%20team%20and%20ask%20us%20to%20click%20the%20%22grant%20permissions%22%20button%20to%20enable%20access%20to%20'Read%20directory%20data'%20for%20their%20app.%26nbsp%3B%20Is%20there%20an%20Azure%20role%20that%20we%20can%20put%20those%20developers%20in%20for%20them%26nbsp%3Bto%20be%20able%20to%20'Grant%20Permissions'%20for%20Reading%20Azure%20AD%20directory%20data%20for%20their%20app%3F%26nbsp%3B%20Or%20does%20the%20role%20%22global%20admin%22%20only%20provide%20that%20ability%3F%26nbsp%3B%20There%20is%20a%20complaint%20that%20this%20step%20of%20involving%20the%20global%20admins%20is%20tedious%20and%20time%20consuming%20to%26nbsp%3Bfind%20someone%20to%26nbsp%3Bgrant%20perms%20on%20a%20timely%20basis%26nbsp%3B(and%20our%20GA%20users%20are%20sparse).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20played%20around%20with%20application%20administrator%2C%20application%20developer%2C%20cloud%20application%20admin%20roles%2C%20but%20none%20of%20those%20worked.%26nbsp%3B%20Unless%20as%20they%20develop%20their%20app%20they%20have%20to%20do%20something%20special%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20any%20advice%2C%20suggestions%2C%20resolutions.%3C%2FP%3E%3CP%3EGina%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-286858%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288961%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Dat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288961%22%20slang%3D%22en-US%22%3EOkay%2C%20thanks%20for%20the%20info!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287008%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20role%20to%20permit%20non%20global%20admins%20to%20%22grant%20permissions%22%20to%20Read%20Directory%20Dat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287008%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Gina%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20there%20is%20no%20method%20available%20to%20allow%20a%20particular%20user%20to%20give%20consent%20to%20applications%20apart%20from%20GA%20as%20this%20is%20a%20change%20that%20happens%20at%20the%20directory%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gina Komoroske
New Contributor

Hello,

We have a subscription tied to our Azure tenant and have developers writing apps there.  When they are setting up the app registration in Azure, they have to wander over to the global admin team and ask us to click the "grant permissions" button to enable access to 'Read directory data' for their app.  Is there an Azure role that we can put those developers in for them to be able to 'Grant Permissions' for Reading Azure AD directory data for their app?  Or does the role "global admin" only provide that ability?  There is a complaint that this step of involving the global admins is tedious and time consuming to find someone to grant perms on a timely basis (and our GA users are sparse). 

 

I've played around with application administrator, application developer, cloud application admin roles, but none of those worked.  Unless as they develop their app they have to do something special?

 

Thanks in advance for any advice, suggestions, resolutions.

Gina

2 Replies
Solution

Hello Gina, 

 

Currently there is no method available to allow a particular user to give consent to applications apart from GA as this is a change that happens at the directory level.

 

Regards,

Rishabh 

 

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Active Directory - ACL question
CHobbs3733 in Tech Talks Forum on
0 Replies
SharePoint App on iOS - Additional credentials error
Rob Clarke in SharePoint on
2 Replies
Pulling data from one tab to another
krysphares in Excel on
6 Replies
Microsoft Teams Channels Permissions
AnthonyJoseph in Microsoft Teams on
8 Replies