search

timmcmic / DLConversionV2

MIT License
44 stars 9 forks source link

More granular permission requirements #145

Closed essentialexch closed 1 year ago

essentialexch commented 1 year ago

Hi Tim! Thanks for your work on this.

My current client declines to provide Global Admin to Azure AD.

Do you know what more restrictive set of permissions may work?

Thanks.

timmcmic commented 1 year ago

Now that we have graph support and deprecated azure ad support you need the graph app permissions outlined in my blog. Exchange org admins still stands or a custom rbac role.

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: Michael B. @.> Sent: Thursday, July 20, 2023 2:46 PM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] More granular permission requirements (Issue #145)

Hi Tim! Thanks for your work on this.

My current client declines to provide Global Admin to Azure AD.

Do you know what more restrictive set of permissions may work?

Thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/145, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6P7Q7MKQAQ352JY2BTXRF4HBANCNFSM6AAAAAA2R2X47M. You are receiving this because you are subscribed to this thread.Message ID: @.***>

essentialexch commented 1 year ago

Yeah, I read everything I could find on it. Part 34 states: The minimum rights required for the DLConversionV2 module are Group.Read.All and User.Read.All.

But that's all it says on Graph permissions. Those two permissions don't allow for updating users and/or groups... so there must be others.

timmcmic commented 1 year ago

Nope - that’s it. The only reason we have graph is to export the settings. Originals global admin was required because of the legacy ad commands and it also served to give us the exchange permissions.

Now that graph and exchange have modernized most customers migrating are moving away for credentials and using cert auth with app Auth - especially since it’s required for graph to be useful.

All the group creation happens directly in exchange which is why exchange org admin, app access, or custom rbac roles are required.

Tim

============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465

Hours: Sunday – Wednesday 08:00 – 16:00 eastern time zone.

Manager: Tom Roughley @.**@.>)

Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900

==============================

From: Michael B. @.> Sent: Thursday, July 20, 2023 4:52 PM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] More granular permission requirements (Issue #145)

Yeah, I read everything I could find on it. Part 34 states: The minimum rights required for the DLConversionV2 module are Group.Read.All and User.Read.All.

But that's all it says on Graph permissions. Those two permissions don't allow for updating users and/or groups... so there must be others.

— Reply to this email directly, view it on GitHubhttps://github.com/timmcmic/DLConversionV2/issues/145#issuecomment-1644589787, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKGTN6KBPYMVEVZUEMGRQYTXRGLANANCNFSM6AAAAAA2R2X47M. You are receiving this because you commented.Message ID: @.***>

essentialexch commented 1 year ago

Great. Thanks for the clarification. I appreciate it!