I am setting up automation for creating applications in Azure. My new applications need the following API Permissions:
None of these permissions need Admin Consent.
I create the new application using another application's client credentials. Lets call that application the "Management Application". The Management Application is manually setup and has the following API Permissions:
These have been given admin consent.
I use Https calls to create the new application (with the client credentials of the management application), add a client secret and otherwise setup the new application.
I don't want my users to be asked for consent when they login to the newly created applications.
I need a way for the Management Application to provide consent for the newly created applications (via an API call). Since the permissions for the newly created applications are not "Admin Consent" level permissions, I feel it should be doable without granting massive permissions to my Management Application.
What are the minimal permissions needed for my Management Application to grant consent such that users do not need to grant consent (when logging into a new applicaiton)?
What are the minimal permissions needed for my Management Application to grant consent such that users do not need to grant consent (when logging into a new applicaiton)?
Assuming this is a single-tenant app, the "Management Application" will need to have the DelegatedPermissionGrant.ReadWrite.All scope added and consented to by an Administrator. Then, from your automated workflow, you would have to invoke POST /oauth2PermissionGrants using the consentType body parameter AllPrincipals to unilaterally consent to the specific scopes you've already granted to the newly-created application on behalf of users in your tenant.
It's not clear to me if the DelegatedPermissionGrant.ReadWrite.All scope is "massive" in your view, but the only alternative to being able to programmatically consent on behalf of all users in a tenant would be Directory.ReadWrite.All which is quite a bit more permissive than the aforementioned alternative.
While it doesn't meet your requirements for doing this sans human, the other possibility would be to manually grant admin consent for the newly-created application's scopes on behalf of your users, either via (1) the Azure Portal entry for the created application, or (2) a visit to the /adminconsent endpoint with the appropriate URL parameters and authenticating using your administrative credentials.