Managed Identity | Graph API permissions #80
Description
Currently due to missing permissions to call graph api in the managed identity a workaround was created which helps keeps us moving with user management for tenants.
When the pipeline is run from local as the user identity(Om) does have certain graph api permissions, it is able to add specific users to tenant specific resource groups , but this approach creates a hard coupling between an individual running the pipeline from local machine vs the pipeline running in GHA autonomously.
Below Images shows it works from user identity
This impacts only in GHA with managed identity and only the user role management of tenants, everything else works just fine.
One thing to note the user identity(Om) does not have permission to create groups, so currently it is adding roles to users for the tenant specific resource group.
long term solution:
- connect with Entra team from OCIO, ask them how to provide this specific graph api permission to the managed identities so they can add/remove groups and users within a group.
in this PR(#78), this commit was done as the workaround at this time.