Permission guidence for Azure AAD needed by the operator

redhat-cop / group-sync-operator

Synchronizes groups from external providers into OpenShift

Apache License 2.0

111 stars 60 forks source link

Permission guidence for Azure AAD needed by the operator #272

Open sabre1041 opened 1 year ago

sabre1041 commented 1 year ago

Currently, the recommendations for API permissions to be granted for Azure Active Directory is the following:

Group.Read.All
GroupMember.Read.All
User.Read.All

Alternately, the following permission can be used instead:

Directory.Read.All

Should the guidance be changed to use this new permission model or retain the existing guidance

davidkarlsen commented 1 month ago

It should be as narrow as possible, so the three given is probably the best. I don't think User.Read.All is required - perhaps User.ReadBasic.All is sufficient.