github
GHEC Team Sync with Azure AD requires lesser permissions
Summary
Today, GitHub Enterprise Cloud Team Sync for Azure AD requests the Directory.Read.All application permission in order to read the group and user information needed to sync group state into GitHub. This is an overly broad permission, and Microsoft has released better-scoped group permissions that we can use. For new installations of Team Sync in Azure AD, Team Sync will only request the GroupMember.Read.All application permission, which is restricted to listing group members and their basic information.
Intended Outcome
Many companies have least-privilege requirements that flag Directory.Read.All as over-privileged, as it grants access to many more resources than just group memberships. To help GitHub admins comply with these directives, and improve the security posture of our product, we're migrating to this reduced privilege permission.
How will it work?
The required resource access for the Team Sync app will be updated to request the new lower permission. New installations will request the GroupMember.Read.All while existing installations will continue to work without interruption. Administrators who wish to reduce the permissions of their existing installation can reinstall the application, or use the App Role Assignments API to modify the permissions of their existing service principal in place.
