search

ThomasKur / M365Documentation

Automatic Microsoft 365 Documentation to simplify the life of admins and consultants.
Other
300 stars 45 forks source link

Receiving permission error regarding an admin granting #43

Closed AlexHimself closed 6 months ago

AlexHimself commented 6 months ago

I think it's an issue that the required permissions aren't clearly spelled out and that should potentially be a part of the install instructions. Most organizations won't blindly run something needing Global Admin and the act of assigning permissions is a desired step.

In my case, I have a privileged but not global admin account, and our tenant is managed by a 3rd party for SOX requirements, so I need to provide a detailed request of the permissions and things I need as narrowly defined as possible and that request is documented and on file for audit purposes. Requesting a global admin run a PowerShell utility just wouldn't fly.

I found in the advanced usage page the list of scopes, so perhaps including some install steps similar to the following:

# Connect to Azure AD
Connect-AzureAD

# Define the app registration details
$appName = "MyAzureApp"
$homePage = "http://localhost"
$replyUrls = @("http://localhost")
$requiredPermissions = @(
    "AccessReview.Read.All",
    "Agreement.Read.All",
    "AppCatalog.Read.All",
    "Application.Read.All",
    "CloudPC.Read.All",
    "ConsentRequest.Read.All",
    "Device.Read.All",
    "DeviceManagementApps.Read.All",
    "DeviceManagementConfiguration.Read.All",
    "DeviceManagementManagedDevices.Read.All",
    "DeviceManagementRBAC.Read.All",
    "DeviceManagementServiceConfig.Read.All",
    "Directory.Read.All",
    "Domain.Read.All",
    "Organization.Read.All",
    "Policy.Read.All",
    "Policy.ReadWrite.AuthenticationMethod",
    "Policy.ReadWrite.FeatureRollout",
    "PrintConnector.Read.All",
    "Printer.Read.All",
    "PrinterShare.Read.All",
    "PrintSettings.Read.All",
    "PrivilegedAccess.Read.AzureAD",
    "PrivilegedAccess.Read.AzureADGroup",
    "PrivilegedAccess.Read.AzureResources",
    "User.Read"
)

# Create the app registration
$app = New-AzureADApplication -DisplayName $appName -HomePage $homePage -ReplyUrls $replyUrls

# Create a client secret
$endDate = (Get-Date).AddYears(1) # Set expiration to 1 year
$secret = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -EndDate $endDate

# Assign permissions to the app
$graphApp = Get-AzureADServicePrincipal -SearchString "Microsoft Graph"
foreach ($permission in $requiredPermissions) {
    $appPermission = $graphApp.AppRoles | Where-Object { $_.Value -eq $permission -and $_.AllowedMemberTypes -contains "Application" }
    if ($appPermission) {
        New-AzureADServiceAppRoleAssignment -ObjectId $app.ObjectId -PrincipalId $app.ObjectId -ResourceId $graphApp.ObjectId -Id $appPermission.Id
    }
}

# Output the details
Write-Output "ClientId: $($app.AppId)"
Write-Output "ClientSecret: $($secret.Value)"
Write-Output "ClientSecretExpiration: $($secret.EndDate)"
Write-Output "TenantId: $(Get-AzureADTenantDetail).ObjectId"

Or at least a screenshot like the following that lets you know what to expect. This is a LOT of permissions and is initially uncomfortable, but I do note they're mostly "READ" permissions.

image

ThomasKur commented 6 months ago

Yes, the module just requires read unless there is no read only scope permission for a dedicated endpoint. If you decide to not grant them, then just don't grant and the documentation will throw an error and not document the specific section but will continue. The module contains a command to create the app registration for you and also the Application Administrator role for example can be used. If you want to execute the commands on your own and have a list of scopes, then you can follow this script:

https://github.com/ThomasKur/M365Documentation/blob/main/PSModule/M365Documentation/Functions/New-M365DocAppRegistration.ps1