Azure Permissions Directory.ReadWrite.All is not permitted by BECU Cybersecurity. What is really needed?

Eric_Gauthier
Tera Contributor

‎05-16-2022 03:27 PM

Subject: Azure Permissions Directory.ReadWrite.All is not permitted by Cybersecurity

Description: Hello, we are trying to set up an Azure Integration where we are able to use the Azure Integration Hub spoke to be able to add users and remove users to an Azure AD Group.

The problem is, that ServiceNow, requires "Directory.ReadWrite.All" and I got denied this request from my Cybersecurity Team. They indicated that this level of access is too broad and a more appropriate level of permission is required, as Directory.ReadWrite.All is not appropriate and will not be allowed. What permissions are a MUST do to what we need it to do? Is there a way to accomplish what we need to do without "Directory.ReadWrite.All"?

Eric Gauthier, CSPO
BECU
ServiceNow Operations Engineer
0 Helpfuls
  • 688 Views
3 REPLIES 3

Richard Hine
Tera Guru
Tera Guru

‎05-17-2022 12:52 AM

Eric,

Have you tried giving the API permission Group.ReadWrite.All instead?

Richard

Vaidehi Kute
Giga Contributor

‎05-17-2022 12:56 AM

Hello Eric,

Please go through below attachment 

Mark Helpful if it is worth.

Preview file
5 KB

Richard Hine
Tera Guru
Tera Guru
In response to Vaidehi Kute

‎05-17-2022 03:02 AM

I think the steps you have given are for cloud discovery and not for using the Azure AD spokes to manipulate Azure AD.

0 Helpfuls