Exam AZ-500 topic 5 question 66 discussion

Box1: User1 only Box2: User1 only To grant tenant-wide admin consent, you need: An Azure AD user account with one of the following roles: 1) Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. 2) Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions). 3) A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/EN-US/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal

1. User1 and User3 only 2. User1 and User4 only https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners As an owner of an enterprise application in Azure AD, a user can manage the organization-specific configuration of the application, such as single sign-on, provisioning, and user assignment. An owner can also add or remove other owners. Unlike Global Administrators, owners can manage only the enterprise applications they own. The owners have the same permissions as application administrators scoped to an individual application.

Box1: User1 only Box2: User1 only Application Administrator (User1) can manage all aspects of enterprise applications, including granting admin consent. Application Developer (User2) can grant consent for delegated permissions for apps they own, but cannot grant admin consent for others. Azure DevOps Administrator (User3) manages Azure DevOps settings and has no permissions over Azure AD enterprise applications. Security Operator (User4) focuses on security alerts and reports but does not manage applications.

Must be "User 1 only" for both. "Admin consent" is not about accessing the app (!), it is about the app accessing other stuff in the tenant. Would be funny if any developer could create an app, and then, as he is owner, could provide admin consent to his app to access all mailboxes and all Onedrives of all users and reset all passwords of all users and manage all Azure resources in all subscriptions.

Box1: User1 only Box2: User1 only To grant Admin Consent, the role has to have this attribute > microsoft.directory/servicePrincipals/managePermissionGrantsForAll Reference: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions Roles that have this attributes are: 1. Global Admin 2. Privileged Role Admin 3. Application Admin 4. Cloud Application Admin App Owners do not have this attribute, therefore does not have the permission to grant admin consent Reference: https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications

The answer is User 1 only. Please do not make the mistake - Prerequisites Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. To grant tenant-wide admin consent, you need: A Microsoft Entra user account with one of the following roles: Privileged Role Administrator, for granting consent for apps requesting any permission, for any API. Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions). A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal.

Box1: User1 only Box2: User1 only application owners don;t have access for admin consent. Links: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/overview-assign-app-owners https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications

Tested in lab, admin consent can be given only if I login as application administrator. 1. User1 only 2. User1 only

So, I just tested this out - registered an app and placed a USER as owner. The User was given both Azude Devops admin and Security Operator roles. Logged as that USER and tried to grant admin consent for that registered App and received this below message. "Need admin approval needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it." So I think it's safe to confirm that Only User1 (Application Admin) can grant consent and not group owners, nor the roles assigned to user3 and user4.

User 1 only User 1 only Owner of an app does not have the right to give consent at a tenant level, they can add permissions, remove permissions. I tried it because the documentation was a bit confusing.

Application Admininstartor has the following permission microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks Ref : https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/UserRolesViewModelMenuBlade/~/description/roleObjectId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleTemplateId/9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3/roleName/Application%20Administrator/isRoleCustom~/false/resourceScopeId/%2F/resourceId/8c112fb1-f6f8-4517-b5c4-7ee0f7387fce Could not find the same under ownership permission https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#owned-enterprise-applications Hence its application admin only USER1 only

Box1: User1 only Box2: User1 only To grant tenant-wide admin consent, you need:An Azure AD user account with one of the following roles:1) Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.2) Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).3) A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application. https://learn.microsoft.com/EN-US/azure/active-directory/manage-apps/grant-admin-consent?pivots=p

1. User1 and User3 only 2. User1 and User4 only

for App1 its User 1 and 3 because 1 is an App administrator and three is the owner of the app regardless of his role. for App2 its User 1 and 4 for the same reasons.

Owner does not have the permissions for enabling admin consent; Available permissions; https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#owned-enterprise-applications permission needed; microsoft.directory/servicePrincipals/managePermissionGrantsForAll https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-consent-permissions?source=recommendations#granting-permissions-to-apps-on-behalf-of-all-admin-consent

so what is the correct answer?

Owner does not have permission