Skip to content

Conversation

@marrobi
Copy link
Member

@marrobi marrobi commented Nov 25, 2025

Resolves #4772

What is being addressed

AzureTRE currently grants the Group.ReadWrite.All permission to its Application Admin for group creation, which is broader than necessary. The update aligns permissions with the actual needs by utilizing the Group.Create permission instead.

How is this addressed

  • Changed the permission from Group.ReadWrite.All to Group.Create in the relevant configuration and documentation.
    -Made Application Admin an owner on the group so it can manage them.

@marrobi marrobi requested a review from a team as a code owner November 25, 2025 17:15
@github-actions
Copy link

github-actions bot commented Nov 25, 2025

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 0ee7c65.

♻️ This comment has been updated with latest results.

Copilot finished reviewing on behalf of marrobi November 25, 2025 17:18
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces the scope of Microsoft Entra ID permissions required for workspace group creation by replacing the overly broad Group.ReadWrite.All permission with the more restrictive Group.Create permission. To maintain management capabilities, the Application Admin (via data.azuread_client_config.current.object_id) is added as an owner on all created groups.

Key changes:

  • Updated Microsoft Graph permission from Group.ReadWrite.All to Group.Create across documentation and deployment scripts
  • Added Application Admin as an owner to workspace security groups (owners, researchers, airlock managers)
  • Bumped workspace bundle version from 2.7.1 to 2.8.0 following semantic versioning for MINOR functionality changes

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
templates/workspaces/base/terraform/aad/aad.tf Added Application Admin as owner to three workspace security groups to enable management with reduced permissions
templates/workspaces/base/porter.yaml Incremented version from 2.7.1 to 2.8.0 for the permission change
docs/tre-admins/identities/application_admin.md Updated documentation to reflect Group.Create permission instead of Group.ReadWrite.All
docs/tre-admins/environment-variables.md Updated AUTO_WORKSPACE_GROUP_CREATION documentation and removed trailing blank line
devops/scripts/create_aad_assets.sh Changed script to request Group.Create permission instead of Group.ReadWrite.All
config.sample.yaml Updated comment for AUTO_WORKSPACE_GROUP_CREATION and removed trailing blank line
CHANGELOG.md Added changelog entry for the permission change

@marrobi
Copy link
Member Author

marrobi commented Nov 26, 2025

/test-extended

@github-actions
Copy link

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/19708120869 (with refid b9d86b80)

(in response to this comment from @marrobi)

@marrobi marrobi enabled auto-merge (squash) November 26, 2025 19:38
Copy link
Collaborator

@JC-wk JC-wk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marrobi
Copy link
Member Author

marrobi commented Nov 27, 2025

/test-force-approve

Passed: #4774 (comment)

@github-actions
Copy link

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit 0ee7c65)

(in response to this comment from @marrobi)

@marrobi marrobi merged commit 3e2369b into microsoft:main Nov 27, 2025
12 checks passed
@marrobi marrobi deleted the marrobi/issue4772 branch November 27, 2025 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Use Group.Create instead of Group.ReadWrite.All for group creation

3 participants