Merge pull request #6754 from FabienTschanz/fix/permissions

NikCharlebois · web-flow · commit f120e501d28e · 2026-01-07T16:21:48.000-05:00
Update required permissions for resources
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,14 @@
     due to the object depth exceeding two levels.
 * O365OrgSettings
   * Added `CertificatePath` with `CertificatePassword` as an authentication method.
+* TeamsChannel
+  * Updated required permissions for read / update.
+* TeamsEmergencyCallRoutingPolicy
+  * Updated required permissions for read / update.
+* TeamsTeam
+  * Updated required permissions for read / update.
+* TeamsUser
+  * Updated required permissions for read / update.
 * M365DSCDRGUtil
   * Fixed an issue where `Rename-M365DSCCimInstanceParameter` omitted values.
     FIXES [#6727](https://github.com/microsoft/Microsoft365DSC/issues/6727)
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsChannel/settings.json
@@ -21,40 +21,16 @@
             "name": "Organization.Read.All"
           },
           {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
+              "name": "TeamSettings.ReadWrite.All"
+            },
           {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
+            "name": "ChannelSettings.Read.All"
           }
         ],
         "update": [
           {
             "name": "Organization.Read.All"
           },
-          {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
           {
             "name": "TeamSettings.ReadWrite.All"
           },
@@ -63,9 +39,6 @@
           },
           {
             "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
           }
         ]
       }
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsEmergencyCallRoutingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsEmergencyCallRoutingPolicy/settings.json
@@ -19,53 +19,11 @@
         "read": [
           {
             "name": "Organization.Read.All"
-          },
-          {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
           }
         ],
         "update": [
           {
             "name": "Organization.Read.All"
-          },
-          {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
           }
         ]
       }
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTeam/settings.json
@@ -2,8 +2,12 @@
   "resourceName": "TeamsTeam",
   "description": "",
   "roles": {
-    "read": [],
-    "update": []
+    "read": [
+      "Global Reader"
+    ],
+    "update": [
+      "Teams Administrator"
+    ]
   },
   "permissions": {
     "graph": {
@@ -15,53 +19,11 @@
         "read": [
           {
             "name": "Organization.Read.All"
-          },
-          {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
           }
         ],
         "update": [
           {
             "name": "Organization.Read.All"
-          },
-          {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
           }
         ]
       }
@@ -93,4 +55,4 @@
       ]
     }
   ]
-}
+}
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUser/settings.json
@@ -2,8 +2,12 @@
   "resourceName": "TeamsUser",
   "description": "",
   "roles": {
-    "read": [],
-    "update": []
+    "read": [
+      "Global Reader"
+    ],
+    "update": [
+      "Teams Administrator"
+    ]
   },
   "permissions": {
     "graph": {
@@ -17,51 +21,15 @@
             "name": "Organization.Read.All"
           },
           {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
+            "name": "Team.ReadBasic.All"
           }
         ],
         "update": [
           {
             "name": "Organization.Read.All"
           },
           {
-            "name": "User.Read.All"
-          },
-          {
-            "name": "Group.ReadWrite.All"
-          },
-          {
-            "name": "AppCatalog.ReadWrite.All"
-          },
-          {
-            "name": "TeamSettings.ReadWrite.All"
-          },
-          {
-            "name": "Channel.Delete.All"
-          },
-          {
-            "name": "ChannelSettings.ReadWrite.All"
-          },
-          {
-            "name": "ChannelMember.ReadWrite.All"
+            "name": "Team.ReadBasic.All"
           }
         ]
       }
diff --git a/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 b/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1
@@ -62,7 +62,8 @@ Describe -Name 'Successfully validate all used permissions in Settings.json file
                 'TeamSettings.ReadWrite.All',
                 'Channel.Delete.All',
                 'ChannelSettings.ReadWrite.All',
-                'ChannelMember.ReadWrite.All'
+                'ChannelMember.ReadWrite.All',
+                'Team.ReadBasic.All'
             )
         }
 

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,8 @@ Describe -Name 'Successfully validate all used permissions in Settings.json file`
`62`	`62`	`'TeamSettings.ReadWrite.All',`
`63`	`63`	`'Channel.Delete.All',`
`64`	`64`	`'ChannelSettings.ReadWrite.All',`
`65`		`- 'ChannelMember.ReadWrite.All'`
	`65`	`+ 'ChannelMember.ReadWrite.All',`
	`66`	`+ 'Team.ReadBasic.All'`
`66`	`67`	`)`
`67`	`68`	`}`
`68`	`69`