sonar-auth-aad icon indicating copy to clipboard operation
sonar-auth-aad copied to clipboard

Published 20 hours ago verified publisher icon hkamel

Is Directory.Read.All permission sufficient to enable Group sync feature of AAD plugin?

Open vsalunkhe1988 opened this issue 2 years ago • 3 comments

Hi, As per the documentation https://github.com/hkamel/sonar-auth-aad/wiki/Group-Sync to enable group sync we need to allow "Directory.AccessAsUser.All" for the application under the API permissions in AAD. Our Active directory architecture board is bit hesitant on allowing such permission as it has more privilege's than just reading groups and underlying members. So is "Directory.Read.All" permission would be sufficient to enable Group sync feature of AAD plugin?

vsalunkhe1988 avatar Jun 01 '22 05:06 vsalunkhe1988

Also do we need to configure the plugin with Client ID and Client Secret in order to have group sync in place?

vsalunkhe1988 avatar Jun 21 '22 07:06 vsalunkhe1988

I've just configured mine and Directory.Read.All looks like it's sufficient. And yes you need ID and Secret otherwise the application has no way to authenticate to AzureAD

BevanG avatar Jun 22 '22 01:06 BevanG

I know MS has updated permissions for some of these calls, so I'll do some testing as soon as I have time to determine the best/lowest permissions for the calls we make.

For reference, we're using the /user/{id}/transitiveMemberOf call, which is documented along with needed permissions at https://docs.microsoft.com/en-us/graph/api/user-list-transitivememberof

srvrguy avatar Aug 02 '22 21:08 srvrguy