Question about AAD Application Permissions

Question

Question about AAD Application Permissions

Closed this issue 2 years ago · 6 comments

Hi Yvand,

I've got two questions regarding the Azure Application Permissions.

Your documentation links to the following Microsoft Documentation: https://docs.microsoft.com/en-us/graph/api/directoryobject-getmembergroups, which states that the Permission User.Read.All and Groupmember.read.all are sufficient to query the Group memberships of Users.

In the AzureCP Documentation, you state that Group.Read.All is required.
The following two questions came up:

Is Groupmember.read.all not sufficient to resolve group members?
Does AzureCP specifically request and/or check the required permissions (User.Read.All & Group.Read.All)?

Many thanks in advance

Answer 1 · 2022-04-13T15:32:11.000Z

Hi @Kinumikao, thank you very much for reporting this. I tested the permmission GroupMember.Read.All and, indeed, it is enough!
When I wrote the article this permission did not exist, it seems it was introduced in late 2020 and I never noticed it until your message.
AzureCP does not check what permissions are granted, it just tries to run queries.
Could you also test to remove Group.Read.All and add GroupMember.Read.All and confirm you see no side effect?
Once I get your feedback I'll update the article.

Answer 2 · 2022-04-14T07:06:39.000Z

@Yvand, thank you so much for your answers.
Just to clarify, sign-in for Users who only have their permission over AAD Groups is possible with Groupmember.read.all?

We will be testing this configuration on multiple test systems, I'll give you feedback as soon as possible.

Answer 3 · 2022-04-14T07:50:52.000Z

@Kinumikao yes, it should have no impact on any feature

Answer 4 · 2022-04-14T08:45:31.000Z

@Yvand, we tested GroupMember.read.all on multiple test environments (SP13 and SP19) and I can confirm it is working as intended.

Edit: Keep in mind, we did not do extensive testing over time, we just changed the AAD API permissions, assigned a group and tested the permissions in SP.

Answer 5 · 2022-04-14T09:57:08.000Z

@Kinumikao I updated https://azurecp.yvand.net/docs/usage/register-application/ to replace Group.Read.All with GroupMember.Read.All.
Thanks for your help!

Answer 6 · 2022-05-31T01:51:05.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.