dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Microsoft Connector: Overly-permissive scope

Open ap0phi5 opened this issue 10 months ago • 0 comments

Are we able to make this a more granular permission requirement as our team that manages Microsoft Entra is not comfortable delegating Directory.Read.All

If we are only using for auth and group membership, is the following not sufficient?

  • user.read
  • group.read.all
  • groupMember.read.all

References:

From the documentation (https://dexidp.io/docs/connectors/microsoft/)

when registering dex application on https://apps.dev.microsoft.com/ add an explicit Directory.Read.All permission to the list of Delegated Permissions

Coded here:

https://github.com/dexidp/dex/blob/487717d61e479b44a1fad5262ab617d6d2508f52/connector/microsoft/microsoft.go#L37-L39

ap0phi5 avatar Feb 17 '25 13:02 ap0phi5