HOTSPOT
-
You have an Azure AD tenant named contoso.com that contains the users shown in the following table.
You add enterprise applications to contoso.com as shown in the following table.
You need to identify which users can grant admin consent for App1 and App2.
Which users should you identify for each application? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box1: User1 only Box2: User1 only To grant tenant-wide admin consent, you need: An Azure AD user account with one of the following roles: 1) Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. 2) Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions). 3) A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/EN-US/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal
i think it asks particularly for each app, not tenant wise answer are correct IMO
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application.
this person is wrong again BE CAREFUL using his answers
Who is?
AzureJobsTillRetire is correct. application owners don;t have access for admin consent. Please see below links https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/overview-assign-app-owners https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications
answers would be Box1: User1 only Box2: User1 only
1. User1 and User3 only 2. User1 and User4 only https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application.
agree with you
To grant admin consent to an Azure AD application registration, a user needs to have the following role permissions: Global Administrator or Cloud Application Administrator or Application Administrator or Owner of the application registration If the user does not have any of these role permissions, they will not be able to grant admin consent to the Azure AD application registration. So the given answers are correct.
App1: User1 only or User1 and User3 only App2: User1 only or User1 and User4 only Of mentioned roles only Application Administrator has permission. I'm not sure about Owners. I couldn't find 100% valid information about owners.
Well i think we all agree on that IMO
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application.
Owner does not have the permissions for enabling admin consent; Available permissions; https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#owned-enterprise-applications permission needed; microsoft.directory/servicePrincipals/managePermissionGrantsForAll https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-consent-permissions?source=recommendations#granting-permissions-to-apps-on-behalf-of-all-admin-consent
User 1 only User 1 only Owner of an app does not have the right to give consent at a tenant level, they can add permissions, remove permissions. I tried it because the documentation was a bit confusing.
1. User1 and User3 only 2. User1 and User4 only
for App1 its User 1 and 3 because 1 is an App administrator and three is the owner of the app regardless of his role. for App2 its User 1 and 4 for the same reasons.
Owner does not have permission
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application.
So, I just tested this out - registered an app and placed a USER as owner. The User was given both Azude Devops admin and Security Operator roles. Logged as that USER and tried to grant admin consent for that registered App and received this below message. "Need admin approval needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it." So I think it's safe to confirm that Only User1 (Application Admin) can grant consent and not group owners, nor the roles assigned to user3 and user4.
so to make sure everybody understands: Box1: User1 only Box2: User1 only
I can confirm this answer, I did same as you and got the same message as you. Given answer is incorrect and documentation is really confusing , however after the confirmation I can say the answer for the both cases are User1 only BR
so what is the correct answer?
Given answers is correct
The answer is User 1 only. Please do not make the mistake - Prerequisites Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. To grant tenant-wide admin consent, you need: A Microsoft Entra user account with one of the following roles: Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal.
Box1: User1 only Box2: User1 only application owners don;t have access for admin consent. Links: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/overview-assign-app-owners https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications
Tested in lab, admin consent can be given only if I login as application administrator. 1. User1 only 2. User1 only
Application Admininstartor has the following permission microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks Ref : https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/UserRolesViewModelMenuBlade/~/description/roleObjectId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleTemplateId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleName/Application%20Administrator/isRoleCustom~/false/resourceScopeId/%2F/resourceId/8c112fb1-f6f8-4517-b5c4-7ee0f7387fce Could not find the same under ownership permission https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications Hence its application admin only USER1 only
Box1: User1 only Box2: User1 only To grant tenant-wide admin consent, you need:An Azure AD user account with one of the following roles:1) Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.2) Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).3) A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/EN-US/azure/active-directory/manage-apps/grant-admin-consent?pivots=p