please avoid the need of the permission "directory.read.all" in Azure AD

[toralf-hlag]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Within our company we run ArgoCD within a K8s cluster.
ArgoCD is configured to use DEX for authentication to MS Azure AD.
Currently MS Graph is used for Azure AD in ArgoCD.

For security reasons we'd like to limit the authentication requests to need &scope=user.read only instead both &scope=user.read+directory.read.all. By this only those few groups are returned which were explicitly assigned in Azure AD to the given application.

Background:
With respect to least privileges principle we do not want to have the possibility/admin rights to expose the whole enterprise AD structure.

Proposed Solution

allow to configure the scope at the application side -or- narrow down scope entirely.

Alternatives Considered

No response

Additional Information

No response

[toralf-hlag]

for the record; originally requested here: argoproj/argo-cd#11523

[marianobilli]

I have a problem with this at my company they dont want to approve such a wide permission.

These two scopes should be enough:
Group.read.all
GroupMember.read.all

[Nothing4You]

this seems to be a duplicate of #2442