[Docs] Changes Group.Read.All to GroupMember.Read.All in docs#13800
[Docs] Changes Group.Read.All to GroupMember.Read.All in docs#13800dcfSec wants to merge 1 commit intoDefectDojo:bugfixfrom dcfSec:bugfix
Conversation
dcfSec
changed the title
Maffooch
left a comment
Maffooch
left a comment
There was a problem hiding this comment.
Rather than asserting the usage of GroupMember.Read.All over Group.Read.All I think it would be preferable to add a note explaining why GroupMember.Read.All can be used in place of Group.Read.All
I think it is important that people should use the lower privileged permissions and not only can use them. Also Microsoft themself recommends the GroupMember permission as least-privileged permissions (See here for the used endpoint. I'll think how to better phrase that, if you wish to leave the Group permission in the documentation. |
|
@dcfSec While I also agree that people should use the least privileged option (and we should highlight that as the preferred option), I also believe the docs should reflect all the options, noting which are better than others rather than excluding less optimal options. I've been doing this security stuff long enough to know sometimes circumstances forces the best of the bad options vs the truly best option from time to time. I'd rather have our users informed and able to make the choice that best fits their situation which they'll know best. |
3 participants
Description
This PR changes the recommended Entra Id API permission from Group.Read.All to GroupMember.Read.All. The reason for this is that with Group.* permission the application can also access MS Teams APIs (see here. For least privileges it is better to use the GroupMember.Read.All permission. This permission still allows to read basic group properties and group member (see here) but prevents the application from reading e.g., Teams chats or shared files.