From 5f0513fded48eab16a8e97aff385c912915a8868 Mon Sep 17 00:00:00 2001 From: audunsolemdal Date: Tue, 14 Mar 2023 10:44:32 +0100 Subject: [PATCH 1/2] Update required application permissions for azuread_group and azuread_group_member --- docs/resources/group.md | 2 +- docs/resources/group_member.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resources/group.md b/docs/resources/group.md index c31c380a7e..b9c7451039 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -10,7 +10,7 @@ Manages a group within Azure Active Directory. The following API permissions are required in order to use this resource. -When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All` +When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. Alternatively you can grant the principal the application role `Group.Create`, and make the principal as part of the owners of the group. If using the `assignable_to_role` property, this resource additionally requires one of the following application roles: `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All` diff --git a/docs/resources/group_member.md b/docs/resources/group_member.md index e33832a927..b24df364fc 100644 --- a/docs/resources/group_member.md +++ b/docs/resources/group_member.md @@ -12,7 +12,7 @@ Manages a single group membership within Azure Active Directory. The following API permissions are required in order to use this resource. -When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All` +When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. If the service principal is an owner of the group, these permissions are not required. When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator` From 7bfadc8e0b57a0d93c7b962656f1347d488bd4ae Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Wed, 22 Mar 2023 21:12:40 +0000 Subject: [PATCH 2/2] Docs wording tweak --- docs/resources/group.md | 4 +++- docs/resources/group_member.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/resources/group.md b/docs/resources/group.md index b9c7451039..13b8b0122c 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -10,7 +10,9 @@ Manages a group within Azure Active Directory. The following API permissions are required in order to use this resource. -When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. Alternatively you can grant the principal the application role `Group.Create`, and make the principal as part of the owners of the group. +When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. + +Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: `Group.Create`. If using the `assignable_to_role` property, this resource additionally requires one of the following application roles: `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All` diff --git a/docs/resources/group_member.md b/docs/resources/group_member.md index b24df364fc..73d6ea29c7 100644 --- a/docs/resources/group_member.md +++ b/docs/resources/group_member.md @@ -12,7 +12,9 @@ Manages a single group membership within Azure Active Directory. The following API permissions are required in order to use this resource. -When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. If the service principal is an owner of the group, these permissions are not required. +When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`. + +However, if the authenticated service principal is an owner of the group being managed, an application role is not required. When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`