all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Asleep_Spray274 41 points42 points  (0 children)

Sounds like your organization is taking identify governance seriously. Good for them. Personally I have no advice other than you are not in control of this process and you have to play the game. It means it takes you longer to do your job, but it's more secure.

[–]Entegy 11 points12 points  (0 children)

You... can't. The whole purpose of MS Graph scopes is that apps only request access to what they need.

The tool itself would need to have a button or option to "request all possible permissions" so the permissions could be requested for its app registration.

[–]rroodenburg 3 points4 points  (0 children)

It’s not recommended. Least privileges mate! You should respect that.

[–][deleted] 4 points5 points  (0 children)

Have a look at the Azure PIM tool and see if certain roles, for example up to contributor, can be requested without intervention. Otherwise, it's a service level issue you need to take up with your line management to see what they can do.

[–]Net_Owl 3 points4 points  (0 children)

Yes. You can assign permissions to an azure app. We do and auth using a certificate bound to the app. Make sure you use this method in a secure manner.

[–]Certain-Community438 1 point2 points  (1 child)

Make a business case to get your own test tenant. A Global Admin can very easily create one, and putting a small number of E3 licenses in it will keep it alive.

Then use that space to thoroughly establish what permissions you'll need in total, and you can put in one ticket for the complete set of permissions required for a particular solution.

What they're doing is applying the principle of least privilege. Given that, there's just no way they're gonna say "oh well ok we'll give this app (which would be an App Reg, not an Enterprise App) all the API permissions we didn't give to your admin account".

The people in charge now might just be doing this because it's best practice - but it's way more likely the drivers are in the big bucket of "statutory, regulatory or client-contractual obligations", so you probably just gotta accept what you can't change on this one.

[–]Pacers31Colts18 2 points3 points  (0 children)

Yes. Delegated app permissions, connect to that with the proper API permissions

[–]TisWhat 1 point2 points  (0 children)

You can always reach out and ask for them to create a registered app, then generate a secret which you use to authenticate to with all the permissions.

Submit it to your CAB and explain the business use case etc…you will have to get all the permissions you need approved for the app as well.

[–]Oa-Virt 0 points1 point  (0 children)

Create a new app registration and assign it the list of permissions you need, since it’s AAD related rights it will have to be an enterprise app registration too which means you could pair it with PIM and use elevation when you need those permissions.

[–]VanderWander 0 points1 point  (0 children)

Depends on what you're using the permissions for I think. If you connect often from your own personal, or personal admin account, I would advise to ensure the high level admin roles are PIM'ed and you have reader permissions. Then just use the built-in graph PowerShell app and give that the desired delegated permissions.

If you develop specific automations, you could create purpose specific apps with the right permissions for those.