QUESTION / DOCUMENTATION: Is "Organization.Read.All" really enough for "Update" access to [TeamsUpgradePolicy]?

Question

QUESTION / DOCUMENTATION: Is "Organization.Read.All" really enough for "Update" access to [TeamsUpgradePolicy]?

GeldHades27355 opened this issue 3 months ago · 9 comments

Folks, we're looking at https://microsoft365dsc.com/resources/teams/TeamsUpgradePolicy/ and related Teams resources.

in there, it says:

Application permissions
Read - Organization.Read.All
Update - Organization.Read.All

Does that make sense? Shouldnt Update need Organization.ReadWrite.All permissions?

We're getting obscure access denied errors trying to deploy Teams resources and are wondering if this could be the cause.

Answer 1 · 2024-07-01T17:32:37.000Z

Btw Get-M365DSCCompiledPermissionsList also reports "Organization.Read.All" for Update access.

Answer 2 · 2024-07-16T11:20:11.000Z

Had a look back at the old documentation related to the resources and came across this set of commits and changes @NikCharlebois

605c541

I would expect that in MS Graph TeamsSettings.ReadWrite.All would be a required permission for the Update

Answer 3 · 2024-07-16T11:23:24.000Z

No, you need to add Entra roles instead see https://microsoft365dsc.com/concepts/personas/

Answer 4 · 2024-07-16T11:32:09.000Z

@ricmestre - my understanding was that Teams supports the use of App Registration and MS Graph to support configuration changes and that auth logic via App Reg + Cert is required

https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#authentication-methods

Service Pricipal + Cert is valid for Microsoft Teams therefore surely the TeamsSettings.ReadWrite.All is relevant?

Answer 5 · 2024-07-16T11:36:25.000Z

You need to grant the role to the service principal, that permission you refer is not relevant since the cmdlets applied are from Teams module, they don't use Graph API.

Answer 6 · 2024-07-16T13:53:15.000Z

@ricmestre Thanks so far.

So we can READ Teams settings from Graph, but WRITING uses a different API?

If yes: OMG the complexity. No wonder no known (to me at least) multi-tenant management tool supports setting Teams policies yet.

Is there no easier, more consistent way to do this yet?

Answer 7 · 2024-07-16T13:56:22.000Z

You're complicating this, you have a Service Principal right? You want read? Assign it with Global Reader. You want to write? Assign it Teams Administrator.

Answer 8 · 2024-07-16T14:23:56.000Z

I'm sure I am - noobs tend to do that. 🤣
Thanks again, very helpful. 👍

Now, since at least two people seem to have similar questions, would this deserve some more clarity in the documentation? Would surely avoid more questions like this. 😉
Before you suggest I update the docs - I'd love to. But I don't think my knowledge level is good enough for that.

Answer 9 · 2024-07-17T09:26:46.000Z

I have just found and read - https://learn.microsoft.com/en-us/MicrosoftTeams/teams-powershell-application-authentication#setup-application-based-authentication - which I think drives the change in permissions. I agree with @GeldHades27355 that the M365 DSC documentation is not clear around how these changes have been made and whether the use of a "dsc-admin" identity with roles vs service principal is used