The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
What role is needed to assign users for an Azure Active Directory Application? RRS feed

  • Question

  • I've added a number of SAML applications from the App Gallery to our Azure AD subscription.  Now I'm trying to enable our help desk to assign those applications to new staff.  

    I'm having trouble finding out what the minimal role to do this would be.  I've tried making them a User Admin in Office 365 and I've made him a co-admin on the Azure AD subscription.  Every time he goes to an application I've added from the Gallery he gets this error:

    You do not have permission to manage this application.

    I really do not want to go so far as to make him an Office 365 global admin, and really wouldn't even him want him to be co-admin on the Azure AD subscription.    Myself and other Office 365 global admins all can access this, but we need our help desk to be able to assign both Office 365 licenses, and the SAML applications we've added.

    Tuesday, May 24, 2016 3:25 PM

Answers

  • Hi Kevin,

    Unfortunately at this moment in time the Directory Administrator Role that is required in order to access the 'Applications' Tab found when viewing your Azure AD in the Azure Active Directory Extension specifically within the Classic Azure Management Portal is the Company Administrator / Global Administrator Role.

    It is a common request for administrators to want to provide specific / granular access to other administrators within the organization whom do not require or are not allowed to be granted such permissions that the Company Administrator / Global Administrator role provides. This is something we hope to bring to the new Azure AD Management Extension when this becomes available in the New Azure Management Portal.

    In the meantime; if you have Azure AD Premium you can do the following Self-Service Application Access which allows your employees to add themselves to applications that you specify; and you can add people as approvers so that employees don't automatically get access when they attempt to add. you can find more information here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-self-service-application-access/

    I hope that helps,

    James.


    Senior Escalation Engineer EEE-Dev | Azure AD Serviceability | Azure AD Identity and Access Management | blog: http://www.edutech.me.uk

    • Marked as answer by Kevin Denham Thursday, June 23, 2016 7:41 PM
    Thursday, May 26, 2016 7:20 AM

All replies

  • Hi Kevin,

    Thanks for posting the query here,

    Is your help desk is in directory, Follow this documentation on Integrating Applications with Azure Active Directory   to integrate an application or service with Azure AD, a developer must first register the details about their application with Azure AD through the Azure classic portal. 

    For Assigning users and groups to application roles & Permissions, you can check the Dushyant Gill's documentation on Roles based access control in cloud applications using Azure AD

    Either the application owner (developer of the app) or the global administrator of the developer’s directory can declare application roles for an application. 

    Let us know whether it helps you,

    Hope this helps you 

    Thanks & Regards

    Vijisankar.

    ______________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

    Wednesday, May 25, 2016 2:27 PM
  • Hi Kevin,

    Unfortunately at this moment in time the Directory Administrator Role that is required in order to access the 'Applications' Tab found when viewing your Azure AD in the Azure Active Directory Extension specifically within the Classic Azure Management Portal is the Company Administrator / Global Administrator Role.

    It is a common request for administrators to want to provide specific / granular access to other administrators within the organization whom do not require or are not allowed to be granted such permissions that the Company Administrator / Global Administrator role provides. This is something we hope to bring to the new Azure AD Management Extension when this becomes available in the New Azure Management Portal.

    In the meantime; if you have Azure AD Premium you can do the following Self-Service Application Access which allows your employees to add themselves to applications that you specify; and you can add people as approvers so that employees don't automatically get access when they attempt to add. you can find more information here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-self-service-application-access/

    I hope that helps,

    James.


    Senior Escalation Engineer EEE-Dev | Azure AD Serviceability | Azure AD Identity and Access Management | blog: http://www.edutech.me.uk

    • Marked as answer by Kevin Denham Thursday, June 23, 2016 7:41 PM
    Thursday, May 26, 2016 7:20 AM