Azure AD permissions required

3rd-party-integrations / github-team-sync

Sync GitHub teams to groups in Active Directory, LDAP, Okta, OneLogin or AzureAD when using any authentication method for GitHub.

MIT License

201 stars 67 forks source link

Azure AD permissions required #88

Closed jkenn99 closed 2 years ago

jkenn99 commented 3 years ago

The README says that the following permissions are required for AAD:

Directory.Read.All
Group.Read.All
GroupMember.Read.All
Organization.Read.All
User.Read.All

Looking at the code, it seems like the only permissions actually needed by the API paths used are GroupMember.Read.All and User.Read.All. Why are these other permissions also documented as being required?

primetheus commented 3 years ago

@jkenn99 thanks for reaching out! These permissions actually are used:

Group.Read.All is needed in order to read information about the groups, and the Directory.Read.All is needed for searching groups. We probably don't need the Organization.Read.All for anything

https://github.com/github/github-team-sync/blob/main/githubapp/azuread.py#L75-L78

Have you tried running the app without these permissions?

jkenn99 commented 3 years ago

Sorry for the late response. Yes, I am using only User.Read.All and GroupMember.Read.All.