fix(connector/microsoft): use least-privilege scope for group membership

Change Microsoft connector group scope from Directory.Read.All to GroupMember.Read.All. Directory.Read.All grants broad read access to the entire directory, while GroupMember.Read.All is sufficient for listing group memberships and follows the principle of least privilege. Signed-off-by: Geethree <Geethree@users.noreply.github.com>
3 weeks ago · f60b9e7667
1 changed files with 1 additions and 1 deletions
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@ -36,7 +36,7 @@ const (
 	scopeUser = "user.read"
 	// Microsoft requires this scope to list groups the user is a member of
 	// and resolve their ids to groups names.
-	scopeGroups = "directory.read.all"
+	scopeGroups = "GroupMember.Read.All"
 	// Microsoft requires this scope to return a refresh token
 	// see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access
 	scopeOfflineAccess = "offline_access"