I have two application and principal pairs in Entra ID. One of my applications exposes a number of roles, some are intended for users and groups, while others are appplication-only.
When I assign users and groups, I have full control of this if I own the service principal that exposes the roles:
However, when I want to grant a permission to another service principal, I need a Global Admin (or less?) to approve this permission:
This behaviour is a hurdle for anyone working with application permissions. How come that I, the owner of both applications and service principals involved in the permission, is not the one deciding if this can be approved or not? This means that anyone can request roles for my APIs, and then someone approves it without my knowledge. If I own the application exposing the role, I would assume I would be the one approving it.
I realize this is a tenant setting, and I do not have access to this in the tenant where the screenshots are from. I do however have my own tenant where I could experiment, but I am not sure at all what I am looking for.
I am mainly curious about how I should reason about this.
Are there ways to improve this workflow for developers?
What settings am I looking for?
How come it works like this for principals? I assume there is good reason for it, just that I don't understand it.
Note that: To grant admin consent to the API permissions added to the Microsoft Entra ID application either Privileged Role Administrator or Cloud Application Administrator or Application Administrator roles is required. Refer this MsDoc
If you want users to send the approve request, you can try doing the below:
Go to Azure Portal -> Enterprise applications -> Consent and permissions -> Set Users can request admin consent to apps they are unable to consent to as YES and add user who can approve request
I created a Microsoft Entra ID application and added app role:
For sample, used the below endpoint to authorize users
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=redirectURL
&response_mode=query
&scope=scope
&state=12345
When I tried to sign in, the user gets Approval required screen like below:
The reviewer must have at least cloud administrator role to approve the request:
Go to Enterprise applications -> Activity -> Select Admin consent requests -> My Pending tab
Click on Review permissions and consent and approve request.
Now I signed in with the same user and the user is able to login successfully:
Reference: