secrets/azure: update minimal permissions recommendation (#21897)

2026-01-07 04:31:46 +00:00 · 2023-07-18 09:24:37 -07:00
parent dc104898f7
commit fa094207e7
1 changed files with 14 additions and 3 deletions
--- a/website/content/docs/secrets/azure.mdx
+++ b/website/content/docs/secrets/azure.mdx
@@ -223,15 +223,26 @@ If the client ID or secret are not present and Vault is running on an Azure VM,
 to access Azure. Note that when MSI is used, tenant and subscription IDs must still be explicitly provided
 in the configuration or environment variables.

-### MS graph API permissions
+### MS Graph API permissions

 The following MS Graph [API permissions](https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#types-of-permissions)
-must be assigned to the service principal provided to Vault for managing Azure:
+must be assigned to the service principal provided to Vault for managing Azure. The permissions
+differ depending on if you're using [dynamic or existing](#choosing-between-dynamic-or-existing-service-principals)
+service principals.
+
+#### Dynamic Service Principals
+
+| Permission Name               | Type        |
+| ----------------------------- | ----------- |
+| Application.ReadWrite.OwnedBy | Application |
+| GroupMember.ReadWrite.All     | Application |
+
+#### Existing Service Principals

 | Permission Name               | Type        |
 | ----------------------------- | ----------- |
 | Application.ReadWrite.All     | Application |
-| Group.ReadWrite.All           | Application |
+| GroupMember.ReadWrite.All     | Application |

 ### Role assignments