Legacy Permissions and Permission Migration Guidance
Microsoft Azure Graph API Permission Changes (v6.2 onwards)
In this article, we cover the changes made to default Microsoft Azure Graph API permission requirements from version 6.2 of Nerdio Manager onwards. These changes reduce the required permission scope for the Nerdio Manager product, thereby enhancing security. The permissions listed below are a subset of the full permission requirements listed here: Azure Permissions and Nerdio Manager
These permissions changes are applied to new installs of the Nerdio Manager 6.2 General Availability (GA) release by default, therefore no changes are required for new deployments.
For existing installations, the changes described below may be made after the environment has been upgraded to the 6.2 release. These changes are optional. Existing customers may choose to retain their existing permission structure, which remain supported.
Warning: Do not make the listed permission changes to any release version prior to the 6.2 release, as this leads to broken functionality within Nerdio Manager. If changes have been made to your pre-6.2 environment, please contact the support team for assistance.
Default Permission List Prior to v6.2
This table lists the Microsoft Azure Graph API permission that were required for all installs before version 6.2. If the modifications outlined in the below article have not been completed after the installation of 6.2, this list remains valid.
Service | Permission | Function |
---|---|---|
Microsoft Graph | Application.ReadWrite.All (delegated) | Manage the Nerdio Manager application service principal. |
Microsoft Graph | AppRoleAssignment.ReadWrite.All | Assign the users to the Nerdio Manager application to enable user sign in. |
Microsoft Graph | Directory.Read.All (delegated) | Permissions to perform reads against the directory in the active user’s context. |
Microsoft Graph | User.Read (delegated) User.ReadBasic.All (delegated) GroupMember.Read.All (application) Organization.Read.All (application) User.Read.All (application) (Optional) Group.Read.All(application) | Read the Entra ID groups and membership for app group assignments. |
Microsoft Graph | Offline_access (delegated) Openid (delegated) profile (delegated) (Optional) Mail.Send (delegated) | Allow user sign in and delegated actions. |
Microsoft Azure Graph API Permission List: v6.2 and Onwards
This table lists the Microsoft Azure Graph API permission that are required for all Nerdio Manager versions after v6.2. New permissions are listed in bold.
Note: This list only applies if the changes described in the following article have been completed. If Directory.Read.All has not been removed, please refer to the alternate list above.
Service | Permission | Function |
---|---|---|
Microsoft Graph | Application.Read.All (delegated) AppRoleAssignment.ReadWrite.All Application.ReadWrite.All | Manage the Nerdio Manager application service principal and assign the users to the Nerdio Manager application to enable user sign in. |
Microsoft Graph | Organization.Read.All (delegated) Organization.Read.All (application) | Read organization-level information, such as tenant name. |
Microsoft Graph | User.Read (delegated) User.ReadBasic.All (delegated) User.Read.All (application) User.Read.All (delegated) Group.Read.All (application) Group.Read.All (delegated) GroupMember.Read.All (delegated) | Read the Entra ID groups and membership for app group assignments. |
Microsoft Graph | Offline_access (delegated) Openid (delegated) profile (delegated) (Optional) Mail.Send (delegated) | Allow user sign in and delegated actions. |
Modify Permissions for Existing Installations
Note: This change is only required if the removal of the Directory.Read.All permission is required. Existing customers do not need to make this change unless the new permission set is preferable. Retaining the old permission set remains fully supported.
Once your Nerdio Manager environment has been upgraded to v6.2 or beyond, you may alter the permissions to remove Directory.Read.All. Please follow the process below to complete this task, or contact the Nerdio Support team if you require assistance.
Prerequisites
Ensure your Nerdio Manager environment is running at least version 6.2 GA before you continue.
A Global Administrator account is required to perform the below operations.
To modify the permissions for existing installations:
In the Azure portal, sign in as a Global Administrator.
Navigate to Microsoft Entra ID.
In the Manage blade, select App registrations.
Select your Nerdio Manager application.
In the Manage blade, select API permissions.
Select + Add a permission.
Add following delegated permissions:
User.Read
User.ReadBasic.All
User.Read.All
Group.Read.All
Application.Read.All
Organization.Read.All
Remove the Directory.Read.All permission.
When a permission pop up is generated. select Grant consent and continue.
Navigate to Enterprise applications.
Select your Nerdio Manager application.
In the Security blade, select Permissions.
Validate that all the new permissions listed above are shown, and that the Directory.Read.All permission is removed.
Navigate to App Services.
Select your Nerdio Manager app service.
In the Settings blade, select Environment variables.
Select + Add.
Add the following new setting:
Name: AzureAD:DefaultGraphScopes
Value: User.Read|User.ReadBasic.All|User.Read.All|Group.Read.All|Application.Read.All|Organization.Read.All
Navigate to Overview.
Select Restart to restart your app service.
The change is now complete. Please contact the Nerdio support team if you require further assistance.
Comments (0 comments)