From f60b9e76670e430c1b48d366cc363100e2068f78 Mon Sep 17 00:00:00 2001
From: Geethree <Geethree@users.noreply.github.com>
Date: Fri, 20 Feb 2026 19:27:46 -0500
Subject: [PATCH] fix(connector/microsoft): use least-privilege scope for group
 membership

Change Microsoft connector group scope from Directory.Read.All to GroupMember.Read.All. Directory.Read.All grants broad read access to the entire directory, while GroupMember.Read.All is sufficient for listing group memberships and follows the principle of least privilege.

Signed-off-by: Geethree <Geethree@users.noreply.github.com>
---
 connector/microsoft/microsoft.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
index 2fcf6a75..2223962c 100644
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@@ -36,7 +36,7 @@ const (
 	scopeUser = "user.read"
 	// Microsoft requires this scope to list groups the user is a member of
 	// and resolve their ids to groups names.
-	scopeGroups = "directory.read.all"
+	scopeGroups = "GroupMember.Read.All"
 	// Microsoft requires this scope to return a refresh token
 	// see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#offline_access
 	scopeOfflineAccess = "offline_access"