Allow creation of Teams/Groups without Group.ReadWrite.All
Lots of partners, ISVs and end-user orgs create provisioning solutions which create Teams and Groups with additional governance/templating/features, but such solutions currently require the Group.ReadWrite.All permission - which is hugely problematic. This is a manifestation of the need for more granular permission scope types (e.g. see https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/37796059-restrict-permissions-to-app-only-azure-ad-applicat), but is a particularly important use case and isn't quite the same thing as the need to access only specified resources.
To expand, it does not appear to be dealt with by Resource-Specific Consent - after all, I just want permissions to create a new Team/Group, rather than permissions to an existing resource.
Please consider providing support for this type of consent - thanks!
Chris O'Brien
shared this idea
We’ve recently released a new permission – Group.Create that hopefully solves this problem for you. Please see https://docs.microsoft.com/en-us/graph/api/resources/conditionalaccesspolicy?view=graph-rest-beta and and the Identity and Access section in the November changelog: https://docs.microsoft.com/en-us/graph/changelog?context=graph%2Fapi%2Fbeta&view=graph-rest-beta#november-2019
Hope this helps
1 comment
-
Rojin Zerobe
commented
Can we also add this permission in creating Team Channels?