Delegating App Registration Admin Consent permissions in Azure AD using Graph (an example for Sites.Selected)

This is a continuation of an older post and an example.

This and this posts from Microsoft are useful references too.

I want to delegate the ability to do admin consents to certain Graph permissions to some of my admins. In this case the “Sites.Selected” Graph API permission which typically needs a Global Admin to do the consent. To do this I have to create a custom app consent policy and a custom role that includes this app consent policy.

First, connect to Graph with the following scopes.

Get the Microsoft Graph service principal.

For reference, here’s an example of the output:

I selected the Microsoft Graph one from above.

Get the permission Id of the “Sites.Selected” permission within this.

Here’s an example of what the permission looks like:

Now create a new app consent policy and add the “Sites.Selected” permission within it.

Here’s what the policy looks like:

Now to create a custom role that includes this app consent policy.

I had to make some tweaks here compared to when I first did this in 2021. Specifically, I added these two:

Just the update one would have been enough, I think. I came across this list from Microsoft’s app registrations permissions page. This other page with permissions for app consent is where I across the last two permissions.

This is what allows the Delegated and Application permissions to be consented, for “Sites.Selected”.

Now grant this to an admin from the portal.

Now Adele can login to the portal, create an app registration, add the “Sites.Selected” permission, remove the “User.Read” permission (coz that is not something we allowed in the list above), and do an admin consent (I had to refresh the page after adding the permission, for the “Grant admin consent” button to show).