Your IT-systems permissions

These are the access permissions needed by the Ironstone managed service, Your IT-systems, inside the customers tenant and why we need them.

  • Without access to your data we won't be able to deploy our services.
  • It is not possible to partially accept the permissions.

API / Permissions name

Type

Permission description

Admin consent required

Why do we need this permission?

Group.ReadWrite.All

Application

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.

Yes

Used to create Microsoft Entra ID security groups that will be associated with management groups.

AppRoleAssignment.ReadWrite.All

Application

 

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

Yes

Used to assign Federated Workload Identity permissions to deploy, create and manage Microsoft Entra ID security groups to provide permissions within the Azure environment.

Application.ReadWrite.All

Application

Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups.

Yes

Used in order to create and modify the Enterprise Applications needed to manage and govern the Azure environment.

RoleManagement.ReadWrite.Directory

Application

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Yes

Used to set -IsAssignableToRole:$true on the Microsoft Entra ID Security groups that will be associated with management groups.

Azure platform access

Some functionality needs access to your Azure environment to for example deploy important updates to Azure resources.

Access level

Scope

Justification

Owner

Management root

We need this access to be able to deploy resources, automatically manage and govern the Azure environment.