Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Register-PnPAzureADApp Permissions scope expansion #4178

Open
pkbullock opened this issue Aug 22, 2024 · 8 comments
Open

[FEATURE] Register-PnPAzureADApp Permissions scope expansion #4178

pkbullock opened this issue Aug 22, 2024 · 8 comments
Labels
enhancement New feature or request

Comments

@pkbullock
Copy link
Contributor

Hi Team,

Im looking at writing a sample for creating the equivalent app for PnP Management Shell, and noticed that the existing cmdlet doesn't cover all the permissions scope of the existing app for example:

  • Dataverse
  • PowerApps
  • Power BI
  • Windows Azure Active Directory
  • Windows Azure Service Management API.

I might temporarily look to cover this with the Azure CLI/SDK, or if I can specify the permissions manually via a additional cmdlets if possible.

Just thought id let you know.

@pkbullock pkbullock added the enhancement New feature or request label Aug 22, 2024
@ToddKlindt
Copy link
Contributor

I've got this published so far, https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904 I'm not sure if you've already covered all of that yet or not. I'm working on the scopes and the UI bit next.

@pkbullock
Copy link
Contributor Author

pkbullock commented Aug 22, 2024

@ToddKlindt you are ahead of me, I'll read to ensure that I'm not duplicating effort. I was going to write a script sample and started a command with all the scopes that are used under delegated. With perhaps some variations for Azure SDK, graph etc so folks can prep in a few ways.

Also I found in the PnP PowerShell repo some json files with all the scopes and descriptions that I was thinking of explaining what each are as a reference might be useful.

Happy to slow down and let you run with this since you have a lot of info already maybe or I can pinch/credit for a script sample from your post. lol. What would you like to do?

I think def working together on this given the short time frame to get helpful resources available would be good.

@ToddKlindt
Copy link
Contributor

I'm in the same boat as you. I have the list of Scopes needed, but Register-PnPAzureADApp won't let me register them all, so I'm having to do a handful by hand.

You're welcome to take whatever you want from my blog post and make a sample out of it. If there's a way to give me credit, please do. Gotta keep that next MVP renewal in mind. :) If there's not, it's no big deal. Like you said, we have a short time frame to get this out there, so the more places the better.

@ToddKlindt
Copy link
Contributor

To the team,
Here is a list of the Scopes that I can't add with Register-PnPAzureADApp that are added by the existing Enterprise App:
"AllSites.FullControl",
"AppCatalog.ReadWrite.All"
"Directory.AccessAsUser.All",
"Tasks.ReadWrite",
"ChannelMessage.Send",
"TeamsAppInstallation.ReadWriteForUser",
"ServiceHealth.Read",
"ActivityFeed.Read",
"Directory.AccessAsUser.All",
"user_impersonation"

Pretty please with sugar on top add them to the validation sets. :) Or, just spitballing here, add a switch that does all the old Enterprise App scopes in one fell swoop.

Thanks

@jackpoz
Copy link
Contributor

jackpoz commented Aug 23, 2024

Isn't the whole point of the deprecation of the default Enterprise App that each permission will be added only as needed ?

I know it's all just delegated permissions, but still, if you recreate an exact copy of the current Enterprise App, then it's sort of missing the point.

I can imagine even having multiple app registrations with different granted permissions, different settings and different targeted users ("Assignment required" set to True limits who can use the app).

This is sort of the same process someone setting up an app registration with certificate or managed identity would have to go through: check which commands you will use, check which scopes are needed, pick the lowest possible ones.

@pkbullock
Copy link
Contributor Author

Hi @jackpoz, of course, really good to call this out, from a security point of view following the principal of least privilege, your own registration would give you control and decision over the permissions you require or permitted to use by your organization policies.

In Entra, there are more permissions you could add, beyond what is needed by the cmdlets, once approach is to suggest a script to add them all (based on the original app), describe what they are and remove as needed e.g. if you don't need Teams Chat, just SharePoint. From a decisioning point of view its easier.

Multiple approaches here to help with the transition for a variety of audiences e.g. Dev/Prod, Skills, Knowledge, Security. So blogs, articles, examples are needed to be as supportive as possible, of course better practices on how these should be used is another great topic.

I believe there is an exercise on the cmdlets happening to map what minimum permissions are needed for each cmdlet which may take time.

@joshtransient
Copy link

Adding User.ReadBasic.All as another permission that can't be added.

@chscott
Copy link

chscott commented Oct 15, 2024

It would be great to add ExchangeApplicationPermissions and ExchangeDelegatePermissions. My app uses both PnP.PowerShell and ExchangeOnlineManagement, and users have to manually add the Exchange.ManageAsApp permission afterward.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants