From e54dd867cc34cae3c0c41b7692fd447fb4eb7575 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Thu, 6 Jan 2022 15:33:17 -0500 Subject: [PATCH] backport of commit 7bcae00f155412175144eaa98281226e6ccc6994 (#13587) This pull request was automerged via backport-assistant --- website/content/api-docs/secret/azure.mdx | 37 +++++++++++++++++++---- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/website/content/api-docs/secret/azure.mdx b/website/content/api-docs/secret/azure.mdx index a8a17fd6fc41..44cb0445bc84 100644 --- a/website/content/api-docs/secret/azure.mdx +++ b/website/content/api-docs/secret/azure.mdx @@ -41,9 +41,34 @@ service principals. Environment variables will override any parameters set in th Active Directory API which has been [deprecated by Microsoft and will be removed in 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-faq). If set to true, the user specified via the `client_id` and `client_secret` will need to have the following permissions - under the Microsoft Graph API: `Application.ReadWrite.All`, `Directory.ReadWrite.All`, and `Group.ReadWrite.All`. + under the **Microsoft Graph API**: + +| Permission Name | Type | +| ----------------------------- | ----------- | +| Application.Read.All | Application | +| Application.ReadWrite.All | Application | +| Application.ReadWrite.OwnedBy | Application | +| Directory.Read.All | Application | +| Directory.ReadWrite.All | Application | +| Group.Read.All | Application | +| Group.ReadWrite.All | Application | +| GroupMember.Read.All | Application | +| GroupMember.ReadWrite.All | Application | + +| Permission Name | Type | +| -------------------------- | --------- | +| Application.Read.All | Delegated | +| Application.ReadWrite.All | Delegated | +| Directory.AccessAsUser.All | Delegated | +| Directory.Read.All | Delegated | +| Directory.ReadWrite.All | Delegated | +| Group.Read.All | Delegated | +| Group.ReadWrite.All | Delegated | +| GroupMember.Read.All | Delegated | +| GroupMember.ReadWrite.All | Delegated | + +Aside from the permissions listed above, setting this to true should be transparent to users. - Aside from the permissions listed above, setting this to true should be transparent to users. - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when rotate-root generates a new client secret. This can be either a number of seconds or a time formatted duration (ex: 24h, 48d). @@ -172,11 +197,11 @@ This endpoint generates a new client secret for the root account defined in the value generated will only be known by Vault. ~> Due to the eventual consistency of Microsoft Azure client secret APIs, the plugin - may briefly stop authenticating to Azure as the password propagates through their - datacenters. +may briefly stop authenticating to Azure as the password propagates through their +datacenters. -| Method | Path | -| :----- | :------------------------ | +| Method | Path | +| :----- | :------------------- | | `POST` | `/azure/rotate-root` | ### Parameters