Skip to content

connector/microsoft: Remove Directory.Read.All requirement #4479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
steigr wants to merge 1 commit into
base: master
Choose a base branch
from
Open

connector/microsoft: Remove Directory.Read.All requirement #4479

steigr wants to merge 1 commit into from
+198 −58

Conversation

@steigr
Copy link

@steigr steigr commented Jan 14, 2026

Remove Directory.Read.All Requirement from Microsoft Connector

Summary

This PR reworks the Microsoft connector to avoid API calls that require Directory.Read.All permissions, significantly reducing the permission scope needed for the connector to function.

Problem

The previous implementation required Directory.Read.All permission to fetch group memberships, which is a highly privileged permission that many organizations are reluctant to grant. This created a barrier to adoption for security-conscious environments.

Solution

Instead of using:

  • /me/getMemberGroups (requires Directory.Read.All)
  • /directoryObjects/getByIds (requires Directory.Read.All)

We now use:

  • /me/memberOf/microsoft.graph.group - which only requires permissions configured on the app registration

Scope Changes

Before After
user.read openid
directory.read.all https://graph.microsoft.com/.default

The .default scope tells Microsoft to use the permissions already configured on the app registration, giving administrators full control over what permissions are granted.

Changes

Code Changes

  • Replace scopeUser and scopeGroups constants with scopeOpenID and scopeDefault
  • Add new get() HTTP method for fetching group memberships via GET requests
  • Rename getGroupNames() to queryGroups() for clarity
  • Add Id field to the group struct to support both name and ID formats
  • Add debug logging for group resolution process

Test Changes

  • New: TestUserGroupsWithGroupIDFormat - verifies group ID format support
  • New: TestLoginURLWithCustomScopes - verifies custom scope configuration
  • New: TestLoginURLWithOfflineAccess - verifies offline_access scope handling
  • New: TestUserGroupsWithWhitelist - verifies whitelist filtering behavior
  • New: TestUserGroupsNotInRequiredGroups - verifies required groups validation
  • New: TestUserGroupsInRequiredGroups - verifies required groups success case
  • Updated: Existing tests updated for new API endpoint and scope values

Migration Notes

Users upgrading to this version should:

  1. Ensure their Azure AD app registration has the necessary API permissions configured (e.g., User.Read or Group.Read.All)
  2. Remove Directory.Read.All permission if it was only used for dex
  3. The groupNameFormat configuration option continues to work as before

Testing

All tests pass:

=== RUN   TestLoginURL
--- PASS: TestLoginURL
=== RUN   TestLoginURLWithOptions  
--- PASS: TestLoginURLWithOptions
=== RUN   TestUserIdentityFromGraphAPI
--- PASS: TestUserIdentityFromGraphAPI
=== RUN   TestUserGroupsFromGraphAPI
--- PASS: TestUserGroupsFromGraphAPI
=== RUN   TestUserGroupsWithGroupIDFormat
--- PASS: TestUserGroupsWithGroupIDFormat
=== RUN   TestLoginURLWithCustomScopes
--- PASS: TestLoginURLWithCustomScopes
=== RUN   TestLoginURLWithOfflineAccess
--- PASS: TestLoginURLWithOfflineAccess
=== RUN   TestUserGroupsWithWhitelist
--- PASS: TestUserGroupsWithWhitelist
=== RUN   TestUserGroupsNotInRequiredGroups
--- PASS: TestUserGroupsNotInRequiredGroups
=== RUN   TestUserGroupsInRequiredGroups
--- PASS: TestUserGroupsInRequiredGroups
PASS

Related Issues

  • Addresses concerns about overly broad permissions in enterprise environments
  • Related to dexidp/dex#2877

@steigr
connector/microsoft: Remove Directory.Read.All requirement Rework the…
e3ff28a 
… Microsoft connector to avoid API calls requiring Directory.Read.All permissions. This reduces the permission scope needed for the connector to function. Changes: - Replace user.read and directory.read.all scopes with openid and the .default scope to use permissions configured on the app registration - Use /me/memberOf/microsoft.graph.group endpoint instead of /me/getMemberGroups and /directoryObjects/getByIds which require Directory.Read.All - Add new get() HTTP method for fetching group memberships - Support both group name and group ID formats via groupNameFormat - Add debug logging for group resolution Tests: - Add TestUserGroupsWithGroupIDFormat for group ID format support - Add TestLoginURLWithCustomScopes for custom scope configuration - Add TestLoginURLWithOfflineAccess for offline_access scope - Add TestUserGroupsWithWhitelist for whitelist filtering - Add TestUserGroupsNotInRequiredGroups for required groups validation - Add TestUserGroupsInRequiredGroups for required groups success case - Update existing tests for new API endpoint and scope values

Signed-off-by: steigr <me@stei.gr>
@steigr steigr force-pushed the feature/azure-less-permissions branch from 32c1df9 to e3ff28a Compare January 14, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steigr