Admin Consent Prerequisites

[sandytsang]

Documentation said "Granting admin consent requires you to sign in as global administrator, an application administrator, or a cloud application administrator". But when I tested remove a admin from Global administrator role, added as application administrator and cloud application administrator, grant admin consent is no longer available.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c7a6c58c-f887-03a4-8f69-eb91a19e4fb3
• Version Independent ID: 4e53d964-7edf-5668-b976-75fcdce4638e
• Content: Configure user consent to an application - Azure Active Directory
• Content Source: articles/active-directory/manage-apps/configure-user-consent.md
• Service: active-directory
• Sub-service: app-mgmt
• GitHub Login: @msmimart
• Microsoft Alias: mimart

[AshokPeddakotla-MSFT]

@sandytsang Thanks for the feedback! We are currently investigating and will update you shortly.

[ManojReddy-MSFT]

@sandytsang I am able to consent to applications with just the application administrator role. Can you post a screenshot of what you see in the portal with and without the GA role assigned to your user account?

[sandytsang]

@ManojReddy-MSFT Hello, just tested this again. When the user is only has application administrator role, create a new application, assigned Microsoft Graph DeviceManagementConfiguration.ReadWrite.All "Application Permission" (Not delegated permission), click on Grant Admin Consent, it gave error. Logout from Azure Portal, then login again, open the same application, Grant admin consent is greyed out.

No issues with Intune Dataware API house get_data_warehouse application permission or OneNote application API application permission.

[ManojReddy-MSFT]

@sandytsang Application Administrator role actually has an exception for permissions related to Graph.

This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph and Azure AD Graph

Ref: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator

[sandytsang]

@ManojReddy-MSFT oh. thank you! Can we add this as additional note in this admin consent page?

[ManojReddy-MSFT]

@sandytsang I have added a line about this limitation in the doc and submitted a PR. The issue will be updated when the PR gets merged.

[sandytsang]

Thank you very much!