ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(004): Add RBAC and Group permissions to config

Browse Source 
Added two new required permissions for Feature 004:
- DeviceManagementRBAC.Read.All: Resolve scope tag IDs to names
- Group.Read.All: Resolve group IDs for assignments

These permissions will be displayed on the Tenant detail page
(/admin/tenants/1) as 'missing' until added in Azure AD.

Steps to complete setup:
1. Add permissions in Azure AD App Registration
2. Grant admin consent
3. Move permissions from 'Required' to 'Tatsächlich granted' in this config
4. Clear cache: php artisan cache:clear
5. Verify on Tenant detail page
This commit is contained in:
Ahmed Darrazi 2025-12-22 16:06:25 +01:00
parent 0e42164937
commit bf9bb77562
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
config/intune_permissions.php
View File

@ -56,6 +56,18 @@
'description' => 'Read directory data needed for tenant health checks.', 'description' => 'Read directory data needed for tenant health checks.',
'features' => ['tenant-health'], 'features' => ['tenant-health'],
], ],
[
'key' => 'DeviceManagementRBAC.Read.All',
'type' => 'application',
'description' => 'Read Intune RBAC settings including scope tags for backup metadata enrichment.',
'features' => ['scope-tags', 'backup-metadata', 'assignments'],
],
[
'key' => 'Group.Read.All',
'type' => 'application',
'description' => 'Read group information for resolving assignment group names and cross-tenant group mapping.',
'features' => ['assignments', 'group-mapping', 'backup-metadata'],
],
[ [
'key' => 'DeviceManagementScripts.ReadWrite.All', 'key' => 'DeviceManagementScripts.ReadWrite.All',
'type' => 'application', 'type' => 'application',
@ -66,6 +78,12 @@
// Stub list of permissions already granted to the service principal (used for display in Tenant verification UI). // Stub list of permissions already granted to the service principal (used for display in Tenant verification UI).
// Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen. // Diese Liste sollte mit den tatsächlich in Entra ID granted permissions übereinstimmen.
// HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+). // HINWEIS: In Produktion sollte dies dynamisch von Graph API abgerufen werden (geplant für v1.1+).
//
// ⚠️ WICHTIG: Nach dem Hinzufügen neuer Berechtigungen in Azure AD:
// 1. Berechtigungen in Azure AD hinzufügen und Admin Consent geben
// 2. Diese Liste unten aktualisieren (von "Required permissions" nach "Tatsächlich granted" verschieben)
// 3. Cache leeren: php artisan cache:clear
// 4. Optional: Live-Check auf Tenant-Detailseite ausführen
'granted_stub' => [ 'granted_stub' => [
// Tatsächlich granted (aus Entra ID Screenshot): // Tatsächlich granted (aus Entra ID Screenshot):
'Device.Read.All', 'Device.Read.All',
@ -84,5 +102,10 @@
'DeviceManagementServiceConfig.ReadWrite.All', 'DeviceManagementServiceConfig.ReadWrite.All',
'Policy.Read.All', 'Policy.Read.All',
'Policy.ReadWrite.ConditionalAccess', 'Policy.ReadWrite.ConditionalAccess',
// Feature 004 - Assignments & Scope Tags (NEU seit 2025-12-22):
// TODO: Nach Azure AD Setup verschieben nach "Tatsächlich granted"
'DeviceManagementRBAC.Read.All', // Scope Tag Namen auflösen
'Group.Read.All', // Group Namen für Assignments auflösen
], ],
]; ];