From bf9bb77562d3aa64ec4e247302cdc2f0fb1e2774 Mon Sep 17 00:00:00 2001
From: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Date: Mon, 22 Dec 2025 16:06:25 +0100
Subject: [PATCH] feat(004): Add RBAC and Group permissions to config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added two new required permissions for Feature 004:
- DeviceManagementRBAC.Read.All: Resolve scope tag IDs to names
- Group.Read.All: Resolve group IDs for assignments

These permissions will be displayed on the Tenant detail page
(/admin/tenants/1) as 'missing' until added in Azure AD.

Steps to complete setup:
1. Add permissions in Azure AD App Registration
2. Grant admin consent
3. Move permissions from 'Required' to 'Tatsächlich granted' in this config
4. Clear cache: php artisan cache:clear
5. Verify on Tenant detail page
---
 config/intune_permissions.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/config/intune_permissions.php b/config/intune_permissions.php
index 56ba8e1..9c16179 100644
--- a/config/intune_permissions.php
+++ b/config/intune_permissions.php
@@ -56,6 +56,18 @@
             'description' => 'Read directory data needed for tenant health checks.',
             'features' => ['tenant-health'],
         ],
+        [
+            'key' => 'DeviceManagementRBAC.Read.All',
+            'type' => 'application',
+            'description' => 'Read Intune RBAC settings including scope tags for backup metadata enrichment.',
+            'features' => ['scope-tags', 'backup-metadata', 'assignments'],
+        ],
+        [
+            'key' => 'Group.Read.All',
+            'type' => 'application',
+            'description' => 'Read group information for resolving assignment group names and cross-tenant group mapping.',
+            'features' => ['assignments', 'group-mapping', 'backup-metadata'],
+        ],
         [
             'key' => 'DeviceManagementScripts.ReadWrite.All',
             'type' => 'application',
@@ -66,6 +78,12 @@
     // Stub list of permissions already granted to the service principal (used for display in Tenant verification UI).
     // Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen.
     // HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+).
+    //
+    // ⚠️ WICHTIG: Nach dem Hinzufügen neuer Berechtigungen in Azure AD:
+    // 1. Berechtigungen in Azure AD hinzufügen und Admin Consent geben
+    // 2. Diese Liste unten aktualisieren (von "Required permissions" nach "Tatsächlich granted" verschieben)
+    // 3. Cache leeren: php artisan cache:clear
+    // 4. Optional: Live-Check auf Tenant-Detailseite ausführen
     'granted_stub' => [
         // Tatsächlich granted (aus Entra ID Screenshot):
         'Device.Read.All',
@@ -84,5 +102,10 @@
         'DeviceManagementServiceConfig.ReadWrite.All',
         'Policy.Read.All',
         'Policy.ReadWrite.ConditionalAccess',
+        
+        // Feature 004 - Assignments & Scope Tags (NEU seit 2025-12-22):
+        // TODO: Nach Azure AD Setup verschieben nach "Tatsächlich granted"
+        'DeviceManagementRBAC.Read.All',  // Scope Tag Namen auflösen
+        'Group.Read.All',                  // Group Namen für Assignments auflösen
     ],
 ];