Corrected permission required to grant graph access.

azsk · Jun 29, 2021 · f193d6f · f193d6f
1 parent 12f02cc
commit f193d6f
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/01-Setup and getting started/README.md b/01-Setup and getting started/README.md
@@ -199,7 +199,7 @@ $UserAssignedIdentity.PrincipalId
 ``` PowerShell
 
 # Grant Graph Permission to the user-assigned managed identity.
-# Required Permission: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.
+# Required Permission: Global Administrator or Privileged Role Administrator.
 
 Grant-AzSKGraphPermissionToUserAssignedIdentity `
                             -UserAssignedIdentityObjectId $UserAssignedIdentity.PrincipalId `
@@ -210,7 +210,7 @@ Grant-AzSKGraphPermissionToUserAssignedIdentity `
 
 
 > **Note:** 
-> 1. _This step requires admin consent. Therefore, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator. If you do not have the required permission, please contact your administrator to get "PrivilegedAccess.Read.AzureResources" and "Directory.Read.All" permission for your scanner MI in Azure Active Directory using [this PowerShell script](../Scripts/ScriptToGrantGraphPermissionToScannerMI.ps1?raw=1). To run this script, you need to provide the object id of the user-assigned managed identity (scanner MI) created in **step 4.a**._
+> 1. _This step requires admin consent. Therefore, the signed-in user must be a member of one of the following administrator roles: Global Administrator or Privileged Role Administrator. If you do not have the required permission, please contact your administrator to get "PrivilegedAccess.Read.AzureResources" and "Directory.Read.All" permission for your scanner MI in Azure Active Directory using [this PowerShell script](../Scripts/ScriptToGrantGraphPermissionToScannerMI.ps1?raw=1). To run this script, you need to provide the object id of the user-assigned managed identity (scanner MI) created in **step 4.a**._
 > 
 > 2. _You can proceed without this step, however, the AzTS Soln will run with limited functionality such as the solution will not be able to scan RBAC controls, classic administrator of a subscription will not be able to use the user interface provided by AzTS Soln (AzTS UI) to request on-demand scan, view control failures etc.,_
 >
@@ -357,7 +357,7 @@ For '-WebAPIAzureADAppId' and '-UIAzureADAppId' parameter,
   ```
 
   > **Note:** 
-  > 01. _This step requires admin consent. To complete this step, the signed-in user must be a member of one of the following administrator roles: </br> Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.</br>If you do not have the required permission, please contact your administrator to get 'User.Read.All' permission for the internal MI in Azure Active Directory using [this PowerShell script](../Scripts/ScriptToGrantGraphPermissionToInternalMI.ps1?raw=1). To run this script, you need to provide the object id of the user-assigned managed identity (internal MI) created in this step._
+  > 01. _This step requires admin consent. To complete this step, the signed-in user must be a member of one of the following administrator roles: </br> Global Administrator or Privileged Role Administrator.</br>If you do not have the required permission, please contact your administrator to get 'User.Read.All' permission for the internal MI in Azure Active Directory using [this PowerShell script](../Scripts/ScriptToGrantGraphPermissionToInternalMI.ps1?raw=1). To run this script, you need to provide the object id of the user-assigned managed identity (internal MI) created in this step._
   > 
   > 2. _You can proceed without this step. However, please note that if this permission is not granted, users who log in to the AzTS UI will not be able to view subscriptions where they have been granted access to a subscription through a security group._
 

diff --git a/Scripts/ScriptToGrantGraphPermissionToInternalMI.ps1 b/Scripts/ScriptToGrantGraphPermissionToInternalMI.ps1
@@ -1,7 +1,7 @@
 <# ********************* Script execution guidance *******************
 
     .PREREQUISITE Permission
-        The signed-in user must be a member of one of the following administrator roles on Azure AD: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.
+        The signed-in user must be a member of one of the following administrator roles on Azure AD: Global Administrator or Privileged Role Administrator.
 
     .PREREQUISITE Install AzureAD module. (Required version: AzureAD >= 2.0.2.130)
         Example command: Install-Module -Name AzureAD -AllowClobber -Scope CurrentUser -repository PSGallery

diff --git a/Scripts/ScriptToGrantGraphPermissionToScannerMI.ps1 b/Scripts/ScriptToGrantGraphPermissionToScannerMI.ps1
@@ -1,7 +1,7 @@
 <# ********************* Script execution guidance *******************
 
     .PREREQUISITE Permission
-        The signed-in user must be a member of one of the following administrator roles on Azure AD: Global Administrator, Privileged Role Administrator, Application Administrator or Cloud Application Administrator.
+        The signed-in user must be a member of one of the following administrator roles on Azure AD: Global Administrator or Privileged Role Administrator.
 
     .PREREQUISITE Install AzureAD module. (Required version: AzureAD >= 2.0.2.130)
         Example command: Install-Module -Name AzureAD -AllowClobber -Scope CurrentUser -repository PSGallery

diff --git a/TemplateFiles/DeploymentFiles.zip b/TemplateFiles/DeploymentFiles.zip