Use assign User.Read from Microsoft graph instead of AAD Graph (#894)

Replace the permission in the application registration. closes #877
2025-06-14 11:08:06 +00:00 · 2021-05-17 11:42:08 -07:00
parent 90795d554e
commit 194ea49f03
1 changed files with 8 additions and 3 deletions
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -73,7 +73,12 @@ from registration import (
    update_pool_registration,
 )

-USER_IMPERSONATION = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
+# Found by manually assigning the User.Read permission to application
+# registration in the admin portal. The values are in the manifest under
+# the section "requiredResourceAccess"
+USER_READ_PERMISSION = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
+MICROSOFT_GRAPH_APP_ID = "00000003-0000-0000-c000-000000000000"
+
 ONEFUZZ_CLI_APP = "72f1562a-8c0c-41ea-beb9-fa2b71c80134"
 ONEFUZZ_CLI_AUTHORITY = (
    "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47"
@ -310,9 +315,9 @@ class Client:
                required_resource_access=[
                    RequiredResourceAccess(
                        resource_access=[
-                            ResourceAccess(id=USER_IMPERSONATION, type="Scope")
+                            ResourceAccess(id=USER_READ_PERMISSION, type="Scope")
                        ],
-                        resource_app_id="00000002-0000-0000-c000-000000000000",
+                        resource_app_id=MICROSOFT_GRAPH_APP_ID,
                    )
                ],
                app_roles=app_roles,