Applications used to manage Azure AD tenant properties must participate in the consent flow provided by Azure AD. This means an Azure Global Administrator must provide admin consent when adding a tenant to On Demand. Admin consent is granted on behalf of the Microsoft Azure organization.
The Azure Global Administrator role is the top level administrator role and has access to all features. By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the tenant. Additional users can be assigned to the Global administrator role.
In On Demand, once you select Add tenant, you are redirected to the Microsoft tenant administration login page where you must log in with the Global Administrator credentials for the tenant. Then, you are redirected to a page that lists the permissions that will be granted. You must click Accept and provide admin consent for the On Demand application. Once the Global Administrator adds a tenant to On Demand, an application record is created in the tenant indicating that admin consent has been provided.
For security, when you first add a tenant, only the minimum permission settings are granted. Some modules require additional permissions. Once a tenant has been added to On Demand, you can grant additional permissions on the page.