Skip to content

Managed Identity | Graph API permissions #80

@mishraomp

Description

@mishraomp

Currently due to missing permissions to call graph api in the managed identity a workaround was created which helps keeps us moving with user management for tenants.

When the pipeline is run from local as the user identity(Om) does have certain graph api permissions, it is able to add specific users to tenant specific resource groups , but this approach creates a hard coupling between an individual running the pipeline from local machine vs the pipeline running in GHA autonomously.

Below Images shows it works from user identity
Image

Image

This impacts only in GHA with managed identity and only the user role management of tenants, everything else works just fine.

One thing to note the user identity(Om) does not have permission to create groups, so currently it is adding roles to users for the tenant specific resource group.

long term solution:

  • connect with Entra team from OCIO, ask them how to provide this specific graph api permission to the managed identities so they can add/remove groups and users within a group.

in this PR(#78), this commit was done as the workaround at this time.

33ee953

cc @alex-struk @antsand @shabarikk @jeff-card

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is neededquestionFurther information is requested

    Type

    Projects

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions