update scopes

Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess.py

@@ -10,6 +10,14 @@
 # Disable insecure warnings
 urllib3.disable_warnings()  # pylint: disable=no-member
 DATE_FORMAT = '%Y-%m-%dT%H:%M:%S.%f'
+REQUIRED_PERMISSIONS = (
+    'offline_access',  # allows device-flow login
+    'IdentityRiskEvent.Read.All',
+    'IdentityRiskyUser.ReadWrite.All',
+    'RoleManagement.ReadWrite.Directory',
+    'Policy.ReadWrite.ConditionalAccess',
+    'Policy.Read.All'
+)
 
 
 class Client:  # pragma: no cover
@@ -44,7 +52,7 @@ def __init__(self, app_id: str, verify: bool, proxy: bool,
             "command_prefix": "msgraph-identity",
         }
         if not client_credentials:
-            args["scope"] = 'offline_access RoleManagement.ReadWrite.Directory'
+            args["scope"] = ' '.join(REQUIRED_PERMISSIONS)
             args["token_retrieval_url"] = 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token'
         self.ms_client = MicrosoftClient(**args)  # type: ignore
 

Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/MicrosoftGraphIdentityandAccess_description.md

@@ -29,7 +29,11 @@ Follow these steps for a self-deployed configuration:
 4. Enter your Tenant ID in the ***Tenant ID*** parameter.
 
 ### Required Permissions
-RoleManagement.ReadWrite.Directory - Application
+- `IdentityRiskEvent.Read.All`
+- `IdentityRiskyUser.ReadWrite.All`
+- `RoleManagement.ReadWrite.Directory`
+- `Policy.ReadWrite.ConditionalAccess`
+- `Policy.Read.All`
 
 ### Azure Managed Identities Authentication
 ___

Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccess/README.md

@@ -17,6 +17,16 @@ Use the Azure Active Directory Identity And Access integration to manage roles a
     | Use system proxy settings | False |
 
 4. Click **Test** to validate the URLs, token, and connection.
+
+
+## Required Permissions
+To use this integration, the following permissions are required on the Azure app.  
+- `IdentityRiskEvent.Read.All`
+- `IdentityRiskyUser.ReadWrite.All`
+- `RoleManagement.ReadWrite.Directory`
+- `Policy.ReadWrite.ConditionalAccess`
+- `Policy.Read.All`
+
 ## Commands
 You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
 After you successfully execute a command, a DBot message appears in the War Room with the command details.

Packs/MicrosoftGraphIdentityandAccess/ReleaseNotes/1_2_45.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Azure Active Directory Identity And Access
+
+Fixed an issue where the *Device Code Flow* did not include all the required scopes.

Packs/MicrosoftGraphIdentityandAccess/TestPlaybooks/MSGraph-Identity-testplaybook.yml

@@ -1,19 +1,19 @@
 id: Identity & Access test playbook
 version: -1
-vcShouldKeepItemLegacyProdMachine: false
 name: Identity & Access test playbook
 starttaskid: "0"
 tasks:
   "0":
     id: "0"
-    taskid: 0a2de1dd-32b0-499b-8b5d-fe8b5ee033da
+    taskid: 6caa0aef-05cf-4421-844f-722a7fcaed2b
     type: start
     task:
-      id: 0a2de1dd-32b0-499b-8b5d-fe8b5ee033da
+      id: 6caa0aef-05cf-4421-844f-722a7fcaed2b
       version: -1
       name: ""
       iscommand: false
       brand: ""
+      description: ''
     nexttasks:
       '#none#':
       - "7"
@@ -30,14 +30,184 @@ tasks:
     ignoreworker: false
     skipunavailable: false
     quietmode: 0
-    isoversize: false
-    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 04bf540f-25c5-4b38-85e7-963568d5b061
+    type: regular
+    task:
+      id: 04bf540f-25c5-4b38-85e7-963568d5b061
+      version: -1
+      name: msgraph-identity-auth-test
+      description: Tests connectivity to Microsoft.
+      script: MicrosoftGraphIdentityandAccess|||msgraph-identity-auth-test
+      type: regular
+      iscommand: true
+      brand: MicrosoftGraphIdentityandAccess
+    nexttasks:
+      '#none#':
+      - "6"
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 370
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+  "3":
+    id: "3"
+    taskid: 458d2616-864d-47c6-84e7-37c9373b7628
+    type: regular
+    task:
+      id: 458d2616-864d-47c6-84e7-37c9373b7628
+      version: -1
+      name: msgraph-identity-directory-role-member-add
+      description: Add a user to a role.
+      script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-member-add
+      type: regular
+      iscommand: true
+      brand: MicrosoftGraphIdentityandAccess
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      role_id:
+        complex:
+          root: MSGraphIdentity.Role.[6]
+          accessor: id
+      user_id:
+        complex:
+          root: MSGraphIdentity.RoleMember
+          accessor: user_id
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 895
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+  "4":
+    id: "4"
+    taskid: f37824fe-b943-431d-8adc-ff881ee4c46d
+    type: regular
+    task:
+      id: f37824fe-b943-431d-8adc-ff881ee4c46d
+      version: -1
+      name: msgraph-identity-directory-role-member-remove
+      description: Removes a user from a role.
+      script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-member-remove
+      type: regular
+      iscommand: true
+      brand: MicrosoftGraphIdentityandAccess
+    nexttasks:
+      '#none#':
+      - "8"
+    scriptarguments:
+      role_id:
+        complex:
+          root: MSGraphIdentity.Role.[6]
+          accessor: id
+      user_id:
+        complex:
+          root: MSGraphIdentity.RoleMember
+          accessor: user_id
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 1070
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+  "5":
+    id: "5"
+    taskid: 9be231ca-cb3c-4bfb-8097-9794792ef035
+    type: regular
+    task:
+      id: 9be231ca-cb3c-4bfb-8097-9794792ef035
+      version: -1
+      name: msgraph-identity-directory-role-members-list
+      description: Gets all members in the role ID.
+      script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-role-members-list
+      type: regular
+      iscommand: true
+      brand: MicrosoftGraphIdentityandAccess
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      limit: {}
+      role_id:
+        complex:
+          root: MSGraphIdentity.Role.[0]
+          accessor: id
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 720
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+  "6":
+    id: "6"
+    taskid: 3c9bc415-81cd-4525-8a2c-4677e158c3ca
+    type: regular
+    task:
+      id: 3c9bc415-81cd-4525-8a2c-4677e158c3ca
+      version: -1
+      name: msgraph-identity-directory-roles-list
+      description: Lists roles in the directory.
+      script: MicrosoftGraphIdentityandAccess|||msgraph-identity-directory-roles-list
+      type: regular
+      iscommand: true
+      brand: MicrosoftGraphIdentityandAccess
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      limit:
+        simple: "20"
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 545
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
   "7":
     id: "7"
-    taskid: ffd25416-d2a9-45c2-84ac-da67fbe4b21a
+    taskid: 28b7b9a9-8e50-4a9a-88d9-9df339a8d7b7
     type: regular
     task:
-      id: ffd25416-d2a9-45c2-84ac-da67fbe4b21a
+      id: 28b7b9a9-8e50-4a9a-88d9-9df339a8d7b7
       version: -1
       name: DeleteContext
       description: Delete field from context
@@ -47,10 +217,14 @@ tasks:
       brand: ""
     nexttasks:
       '#none#':
-      - "8"
+      - "2"
     scriptarguments:
       all:
         simple: "yes"
+      index: {}
+      key: {}
+      keysToKeep: {}
+      subplaybook: {}
     separatecontext: false
     view: |-
       {
@@ -64,42 +238,39 @@ tasks:
     ignoreworker: false
     skipunavailable: false
     quietmode: 0
-    isoversize: false
-    isautoswitchedtoquietmode: false
   "8":
     id: "8"
-    taskid: 65919e2a-e2f0-4f9e-8e20-0e0f217b991a
+    taskid: 3dbfa74a-3063-4be8-883d-1aa66dc6c222
     type: title
     task:
-      id: 65919e2a-e2f0-4f9e-8e20-0e0f217b991a
+      id: 3dbfa74a-3063-4be8-883d-1aa66dc6c222
       version: -1
       name: Done
       type: title
       iscommand: false
       brand: ""
+      description: ''
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 40,
-          "y": 410
+          "x": 50,
+          "y": 1245
         }
       }
     note: false
     timertriggers: []
     ignoreworker: false
     skipunavailable: false
     quietmode: 0
-    isoversize: false
-    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {},
     "paper": {
       "dimensions": {
-        "height": 425,
-        "width": 390,
-        "x": 40,
+        "height": 1260,
+        "width": 380,
+        "x": 50,
         "y": 50
       }
     }

Packs/MicrosoftGraphIdentityandAccess/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Graph Identity and Access",
     "description": "Use this pack to manage roles and members in Microsoft.",
     "support": "xsoar",
-    "currentVersion": "1.2.44",
+    "currentVersion": "1.2.45",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",