Use Group.Create instead of Group.ReadWrite.All for group creation (#4774)

Author: marrobi

CHANGELOG.md

@@ -7,6 +7,7 @@
 ENHANCEMENTS:
 * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754))
 * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742))
+* Change Group.ReadWrite.All permission to Group.Create for AUTO_WORKSPACE_GROUP_CREATION ([#4772](https://github.com/microsoft/AzureTRE/issues/4772))
 * Make workspace shared storage quota updateable ([#4314](https://github.com/microsoft/AzureTRE/issues/4314))
 
 BUG FIXES:

config.sample.yaml

@@ -80,7 +80,7 @@ authentication:
   # When this is true, create Workspaces will also create an AAD Application automatically.
   # When this is false, the AAD Application will need creating manually.
   auto_workspace_app_registration: true
-  # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
+  # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.Create`
   auto_workspace_group_creation: false
   # Setting this to true will remove the need for users to manually grant consent when creating new workspaces.
   # The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions.
@@ -101,7 +101,6 @@ ui_config:
   ui_site_name: "Azure TRE"
   # Footer text shown in the bottom left hand corner of the TRE portal
   ui_footer_text: "Azure Trusted Research Environment"
-
 #developer_settings:
 # Locks will not be added to stateful resources so they can be easily removed
 # stateful_resources_locked: false

devops/scripts/create_aad_assets.sh

@@ -33,7 +33,7 @@ if [ "${AUTO_WORKSPACE_APP_REGISTRATION:-}" == true ]; then
 fi
 
 if [ "${AUTO_WORKSPACE_GROUP_CREATION:-}" == true ]; then
-  APPLICATION_PERMISSIONS+=("Group.ReadWrite.All")
+  APPLICATION_PERMISSIONS+=("Group.Create")
 fi
 
 if [ "${AUTO_GRANT_WORKSPACE_CONSENT:-}" == true ]; then

docs/tre-admins/environment-variables.md

@@ -48,7 +48,7 @@
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |
 | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. |
 | `AUTO_WORKSPACE_APP_REGISTRATION`| Set to `false` by default. Setting this to `true` grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy` permission. [Further information on Application Admin can be found here](./identities/application_admin.md). |
-| `AUTO_WORKSPACE_GROUP_CREATION`| Set to `false` by default. Setting this to `true` grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. [You can read mode about Group Assignment here](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). |
+| `AUTO_WORKSPACE_GROUP_CREATION`| Set to `false` by default. Setting this to `true` grants the `Group.Create` permission to the *Application Admin* identity. This identity can then create security groups aligned to each application role. |
 | `AUTO_GRANT_WORKSPACE_CONSENT`| Default of `false`.  Setting this to `true` will remove the need for users to manually grant consent when creating new workspaces. The identity will be granted `Application.ReadWrite.All` and `DelegatedPermissionGrant.ReadWrite.All` permissions. |
 | `USER_MANAGEMENT_ENABLED` | If set to `true`, TRE Admins will be able to assign and de-assign users to workspaces via the UI (Requires Entra ID groups to be enabled on the workspace and the workspace template version to be 2.2.0 or greater). |
 | `PRIVATE_AGENT_SUBNET_ID` | Optional. Vnet exception is enabled for the provided runner agent subnet id, enabling access to private resources like TRE key vault. |

docs/tre-admins/identities/application_admin.md

@@ -13,8 +13,8 @@ This application does not have any roles defined.
 | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the Microsoft Entra ID Application. This will be a manual process for the Tenant Admin. |
 | Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. |
 | Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. |
-| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is requried if Microsoft Entra ID groups are to be created automatically by the TRE. |
-| DelegatedPermissionGrant.ReadWrite.All | Application | Yes | This permssion is required to remove the need for users to manually grant consent when creating new workspaces. |
+| Group.Create | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is required if Microsoft Entra ID groups are to be created automatically by the TRE. |
+| DelegatedPermissionGrant.ReadWrite.All | Application | Yes | This permission is required to remove the need for users to manually grant consent when creating new workspaces. |
 
 '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details.
 
@@ -31,7 +31,7 @@ This user is currently only used from the Porter bundles hosted on the Resource
 | -------- | ----------- |
 | `--name` | This is used to put a friendly name to the Application that can be seen in the portal. It is typical to use the name of your TRE instance. |
 | `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an Microsoft Entra ID Admin to consent after you have created the identity. Consent is required for this permission. |
-| `--application-permission` | This  is a comma seperated list of the permissions that need to be assigned. For exampler `Application.ReadWrite.All,Directory.Read.All,Group.ReadWrite.All` |
+| `--application-permission` | This is a comma separated list of the permissions that need to be assigned. For example `Application.ReadWrite.All,Directory.Read.All,Group.Create` |
 | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. |
 
 ## Environment Variables

templates/workspaces/base/terraform/aad/aad.tf

@@ -143,21 +143,21 @@ resource "azuread_app_role_assignment" "workspace_owner" {
 resource "azuread_group" "workspace_owners" {
   count            = var.create_aad_groups ? 1 : 0
   display_name     = "${var.workspace_resource_name_suffix} Workspace Owners"
-  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id]
+  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id, data.azuread_client_config.current.object_id]
   security_enabled = true
 }
 
 resource "azuread_group" "workspace_researchers" {
   count            = var.create_aad_groups ? 1 : 0
   display_name     = "${var.workspace_resource_name_suffix} Workspace Researchers"
-  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id]
+  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id, data.azuread_client_config.current.object_id]
   security_enabled = true
 }
 
 resource "azuread_group" "workspace_airlock_managers" {
   count            = var.create_aad_groups ? 1 : 0
   display_name     = "${var.workspace_resource_name_suffix} Airlock Managers"
-  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id]
+  owners           = [var.workspace_owner_object_id, data.azuread_service_principal.core_api.object_id, data.azuread_client_config.current.object_id]
   security_enabled = true
 }