Do you grant help desk or junior admins access to Microsoft Graph?
Posted by Wise-Question2374@reddit | sysadmin | View on Reddit | 18 comments
Do you grant help desk or junior admins access to Microsoft Graph? If so, how do you go about it?
I came from a role where I was a global admin at a small company to a larger company with more granular permissions. I want basic access to Graph command line tools so I can build some automations and simplify workflows. How should I frame this? I'd like the help desk to be able to query Graph API as well.
ThatBCHGuy@reddit
Give him the rbac roles he needs to do his job and bam, he has access to graph to do those functions. There isn't a seperate 'allow graph' permission.
fireandbass@reddit
There is. On the Enterprise Application page, you can restrict Graph Explorer to users or groups.
Entegy@reddit
There is more than one way to access Graph than Graph Explorer.
fireandbass@reddit
Conditional Access policy can block it.
OnlyWest1@reddit
They are probably talking limiting their admin roles.
Daphoid@reddit
Further than that, you can grant access to specific scopes via powershell :)
Murhawk013@reddit
I get what you’re saying but yes there are lol
Wise-Question2374@reddit (OP)
It seems as long as you're using delegated permissions for the Graph-CLI application it's safe to grant access to the application because the permissions will be limited by the normal RBAC accessible through the Admin Center GUI. It seems that the user would need granted access to the base Graph-CLI application though right?
Humpaaa@reddit
Thank you.
RBAC all the way.
Obvious-Water569@reddit
Nobody gets access to anything they don't explicitly need.
OnlyWest1@reddit
C levels do.
Daphoid@reddit
100%. How often do you see "apply to all users?" "Yes.... oh but exclude the board"
TheDawiWhisperer@reddit
Suicide rates would go through the roof if we give them access to Graph
titlrequired@reddit
Get a developer tenant to learn in. Show proof of concept. Demonstrate you won’t accidentally set everyone’s language to Martian, or reset everyone’s password.
Not sure I would give blanket Helpdesk access to graph, depends on scopes requested and use case.
christurnbull@reddit
Read, sure. Not much difference to signing into your tenancy in graph explorer.
sryan2k1@reddit
I've never met a help desk that could spell graph let alone use it. What would they possibly do with those permissions?
Interesting-Rest726@reddit
You sound great to work for
210Matt@reddit
Build a service principal with read permissions in graph if there are just certain scripts that they need. You could also give the user global reader