azuremicrosoft-entra-idazure-service-principal

Assigning application permissions to users/groups and other principals in Entra ID


I have two application and principal pairs in Entra ID. One of my applications exposes a number of roles, some are intended for users and groups, while others are appplication-only.

When I assign users and groups, I have full control of this if I own the service principal that exposes the roles:

Assigning user or group role

However, when I want to grant a permission to another service principal, I need a Global Admin (or less?) to approve this permission: Assigning principal role

This behaviour is a hurdle for anyone working with application permissions. How come that I, the owner of both applications and service principals involved in the permission, is not the one deciding if this can be approved or not? This means that anyone can request roles for my APIs, and then someone approves it without my knowledge. If I own the application exposing the role, I would assume I would be the one approving it.

I realize this is a tenant setting, and I do not have access to this in the tenant where the screenshots are from. I do however have my own tenant where I could experiment, but I am not sure at all what I am looking for.

I am mainly curious about how I should reason about this.

Are there ways to improve this workflow for developers?
What settings am I looking for?
How come it works like this for principals? I assume there is good reason for it, just that I don't understand it.


Solution

  • Note that: To grant admin consent to the API permissions added to the Microsoft Entra ID application either Privileged Role Administrator or Cloud Application Administrator or Application Administrator roles is required. Refer this MsDoc

    If you want users to send the approve request, you can try doing the below:

    Go to Azure Portal -> Enterprise applications -> Consent and permissions -> Set Users can request admin consent to apps they are unable to consent to​ as YES and add user who can approve request enter image description here

    I created a Microsoft Entra ID application and added app role:

    enter image description here

    For sample, used the below endpoint to authorize users

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
    &client_id=ClientID
    &response_type=code
    &redirect_uri=redirectURL
    &response_mode=query
    &scope=scope
    &state=12345
    

    When I tried to sign in, the user gets Approval required screen like below:

    enter image description here

    The reviewer must have at least cloud administrator role to approve the request:

    Go to Enterprise applications -> Activity -> Select Admin consent requests -> My Pending tab

    enter image description here

    Click on Review permissions and consent and approve request.

    Now I signed in with the same user and the user is able to login successfully:

    enter image description here

    Reference:

    Overview of permissions and consent in the Microsoft identity platform - Microsoft identity platform | Microsoft