Which admin/admin role is required when getting admin consent for your app?

Question

An app needs admin consent when using the client credential grant flow. I was curious which kind of admin/admin role is required for this consent. Does it have to be a global admin or can it be something more restrictive?

Answer 1

Unfortunately there is no Graphs Admin role; Microsoft has rolled administration of most things into the Global Admin role. However, there are steps you can take to grant access here; whether you want to follow them given the requirements is up to you. the steps are described here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/02/granting-tenant-admin-consent-for-microsoft-graph-explorer/

Giving Consent for All Users for Microsoft Graph Explorer

This error is occurring because the user trying to use the graph explorer is trying to utilize a v2 permission that requires admin consent. The permissions/scopes regarding the v2 endpoint are described in the link here : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes

Resolution

To resolve this issue, the Microsoft Graph explorer provides a convenient pre-developed URL for users to give the Global Admin of the tenant in order to grant admin consent on behalf of all users in the tenant. This is currently the only way to let users use the Microsoft Graph Explorer to get access to the Microsoft Graph API with permissions that require Admin Consent.

You can also read how to do it from a more dev-friendly page here: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service