Our product is a SaaS monitoring product for Azure (CloudMonix). One of the ways that it connects to customers' Azure subscriptions via ARM API is by creating a Service Principal authorized against our AD application.
We used this article in order to enable this authorization and all works wonderfuly: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/
The issue is, often our users do not have access to the super-admin account that was originally used to create the subscription. They have their own "co-administrator" accounts. What extra permissions do these users need to have, in order to consent for our AD app to access their AD? Where do they add these permissions in either of the two Azure portals?
TIA
In order to consent to applications that require admin permissions the user needs to have the "Global Admin (GA)" role in the Azure AD tenant. This is different from having the service administrator or co-administrator roles in an Azure Subscription.
Only existing GAs can grant another user GA rights. This means that if your user is unable to perform admin consent, they also won't be able to make themselves Azure AD GAs. The most likely solution to your scenario is to have the user contact their IT department or whoever setup the Azure AD tenant or O365 and ask them to consent to the application with their GA credentials. Once the admin consents to the application, because they're doing it as administrators, consent will be applied on behalf of all users, and as a result no other user will need to consent to the application after that.
See the article below for more details around the relationship between Azure AD and Azure subscriptions: https://blogs.technet.microsoft.com/ad/2016/02/26/azure-ad-mailbag-azure-subscriptions-and-azure-ad-2/
And just in case you still want instructions on how to make someone a global admin in Azure AD, here's the instructions for that: - From https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/