Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Connector: Overly-permissive scope #3989

Open
ap0phi5 opened this issue Feb 17, 2025 · 0 comments
Open

Microsoft Connector: Overly-permissive scope #3989

ap0phi5 opened this issue Feb 17, 2025 · 0 comments

Comments

@ap0phi5
Copy link

ap0phi5 commented Feb 17, 2025
edited
Loading

Are we able to make this a more granular permission requirement as our team that manages Microsoft Entra is not comfortable delegating Directory.Read.All

If we are only using for auth and group membership, is the following not sufficient?

  • user.read
  • group.read.all
  • groupMember.read.all

References:

From the documentation (https://dexidp.io/docs/connectors/microsoft/)

when registering dex application on https://apps.dev.microsoft.com/ add an explicit Directory.Read.All permission to the list of Delegated Permissions

Coded here:

dex/connector/microsoft/microsoft.go

Lines 37 to 39 in 487717d

// Microsoft requires this scope to list groups the user is a member of
// and resolve their ids to groups names.
scopeGroups = "directory.read.all"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ap0phi5