Azure-docs: Which documentation? - Configure permanent admin permissions for application

@sujayvsarma Thanks for your question. This support forum is primarily used to address issues related to our document content and based on the above question it looks like you need help regarding a setup for which the right forum might be our Azure AD Q&A forum where community and service experts could advise and provide the appropriate documentation to follow.

Could you please post the same on the Q&A forum for more inputs?

No, I am asking for the DOCUMENTATION that deals with such aspects. Therefore, this is the right forum.

@sujayvsarma this is the right forum for documentation issues that users have issues. Since you have requested help for a scenario we have requested you to post in the right forum for help from experts. Without a link to the documentation it makes it difficult to assign this issue to the right people for help as this repo covers entire Azure documentation. We hope this clarifies the above response :).

Which is why I specifically tagged @MarileeTurscak-MSFT in my question. She helped on a related issue just two days ago. Why did you pick it up!!!

Feedback for @RohitMungi-MSFT :

Also, since it is "one microsoft" and all, the "forum" should not matter. That should be the least of your worries. You are behaving like an Ops team, and yet you are not an Ops team. You are supposed to be "customer focussed", instead, you are "forum obsessed." That is NOT the right way to go. You are "one" team, handling one product (in this instance, that being "azure documentation").

Hi @sujayvsarma ,

Sorry for the delay, I missed your message earlier. I reached out to check about documentation for what you are specifically requesting as I'm not sure what the best document would be. I'll get back to you when I have an answer.

Here is the documentation for assigning permanent roles: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user?tabs=new

And here is for adding app roles: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Thank you @MarileeTurscak-MSFT.

I think my primary confusion was between App vs Delegated permissions in Azure AD.

Could you clarify this:

1. If I add the Application Permission Group.Create, the app can create groups regardless of the access level of the user logged on -- alternatively, can create groups even when there is no one logged on (as in a background service).

True/False ?

1. Like there is a Group.Create permission, there is no User.Create permission. There are User.ReadWrite.* permissions, but I did not find one that is explicitly a User.Create. In fact, at the top of this page [ https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory ], it says "_To add or delete users you must be a User administrator or Global administrator_.". Does that mean that I would need to add my app to the User Administrator role in the Azure AD ?

1. True.User
2. ReadWrite.All is enough.

Those are permissions for MS Graph or AAD Graph.

Hope this helps! I'm closing this out but if this doesn't fully answer your question feel free to open a new issue or email me at [email protected]