Your IT-systems permissions
These are the access permissions needed by the Ironstone managed service, Your IT-systems, inside the customers tenant and why we need them.
- Without access to your data we won't be able to deploy our services.
- It is not possible to partially accept the permissions.
API / Permissions name |
Type |
Permission description |
Admin consent required |
Why do we need this permission? |
---|---|---|---|---|
Group.ReadWrite.All |
Application |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
Yes |
Used to create Microsoft Entra ID security groups that will be associated with management groups. |
AppRoleAssignment.ReadWrite.All |
Application
|
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
Yes |
Used to assign Federated Workload Identity permissions to deploy, create and manage Microsoft Entra ID security groups to provide permissions within the Azure environment. |
Application.ReadWrite.All |
Application |
Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups. |
Yes |
Used in order to create and modify the Enterprise Applications needed to manage and govern the Azure environment. |
RoleManagement.ReadWrite.Directory |
Application |
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Yes |
Used to set |
Azure platform access
Some functionality needs access to your Azure environment to for example deploy important updates to Azure resources.
Access level |
Scope |
Justification |
---|---|---|
Owner |
Management root |
We need this access to be able to deploy resources, automatically manage and govern the Azure environment. |