0

Quick summary of my environment:

I currently have just one main account with Azure, under this parent account I then have 1qty tenant configured. I've previously been using Azure AD at the tenant level for managing users and access for my .NET Core applications, I also had some of the apps from my solution registered at the tenant level there too.

All my paid services/subscriptions such as storage/service bus etc had been registered under my main account so after a while, I had decided to re-register all my apps into the main account in order that I can eventaully delete the tenant and bring everything together under the main account.

Issue:

Since re-registering some apps over to my main parent account, I'm unable to grant admin access for these apps of which I beleive the issue is down to the user account I'm trying to do this with i.e. I'm logged into my main parent account as the Azure Account Owner. I don't currently have any other user accounts configured in my main account's AD that I could use to complete the setup.

Being logged in as the Azure Account Owner shows some options are greyed out, for example I've tried to see whether possible to grant myself additional roles, so currently I'm rather stuck in knowing how and what is needed for me to grant admin access to my apps using my own user account as the account owner.

Ref below to illustrate the issue, I added some scopes to one of the registered apps that's an API gateway which my client web app needs to connect with to reach backend mirco services:

enter image description here

Then in the client web app registration, I've added one of the scopes under the API Permissions menu blade, but as you can see access is not yet granted:

enter image description here

So the next step was to grant admin access by navigating to this client app configuration using the Enterprise Applications menu:

enter image description here

The problem is I'm unable to grant the consent and get the following:

enter image description here

I never had this problem before becuase the apps were peviosly registered at the tenant level, but I dont want to keep this tenant anymore and simply want to bring all my app registrations across to within my main parent account.

Should it be possible to grant admin consent to my apps using the azure account owner? If so what roles/permissions am I missing to do this? and how do I elevate myself to do this?

OJB1
  • 2,245
  • 5
  • 31
  • 63

1 Answers1

0

I tried to reproduce the same in my environment and got the results like below:

I assigned a user with Owner role:

enter image description here

Now, I logged in to the Azure Portal with the above user and created an Azure AD Application like below:

enter image description here

I created the scopes to Grant Admin Consent like below:

enter image description here

Now, I added API permissions like below but the Grant Admin Consent is greyed out:

enter image description here

I tried to Grant Admin consent by using below URL:

https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID

enter image description here

Note that : To Grant Admin consent the user must have Global Administrator role or Privileged Role Administrator role.

To resolve the issue, assign the user Global Administrator role like below:

enter image description here

After adding the role, I am able to Grant Admin Consent to the API permissions successfully like below:

enter image description here

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • Hi Rukmini, thanks for your reply. I had started coming to a simialr conclusion that the Azure Account Owner does not have the correct role assignments by default in order to carry out Active Directory related tasks. However the challenge i'm facing is that I equally cannot "Add Assingments" in the Assigned Roles menu blade, the button is greyed out for me. So I'm not sure how I can add roles to my own account, despite being the account owner. I also don't have any other users in my AD org that can do this for me. – OJB1 Mar 27 '23 at 18:52
  • Check this https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#prerequisites – Rukmini Mar 28 '23 at 03:39
  • Think you possibly meant to point me to this link instead: https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal but regardless, I'm unable to grant myself the Global Administrator role becuase the "Add Assingments" buton is greyed out. Until I have the Global Administrator role assigned, I dont beleive i'll be able to grant admin consents or perform any of the tasks I'm having issues with. So in essence, I beleive the route cause of my issue is the fact that I cannot grant myself a Global Administrator role being the Azure Account Owner. – OJB1 Mar 28 '23 at 17:37
  • Finally got to the bottom of the issue, my Exchange Online Essentials email/mailbox service is paid for and provied through a 3rd party internet provider who used the same domain/username/email as what I used when creating an account and tenant within Azure, they originally setup my account as an admin but it required elevating to a global admin. A real mess as now I'm not sure what to do about pulling away from this 3rd party MS partner without affecting my own services in Azure becuase between Office 365 and Azure, both services are referring to the same user i.e. me. – OJB1 Mar 28 '23 at 20:24