Allowing an external company access to modify specific entra groups
Hi Brains Trust.
I have a theory for how to do this but wanted to see if anyone has done it before.
Essentially, we have a vendor who wants to be able to add users to Entra groups. This is the ITSM provider. So, if a user logs a job to access a specific item of software, and that software is controlled by an Entra group, the provider just adds them to the group instead of going to someone to add them.
Obviously, I'm not about to give them an App Registration with groups.readwrite.all, so I'm testing this out:
App registration with no api, redirecting to OAuth.
Logic App with OAuth setup, limited to above App Registration
Logic App using the "Office 365 Groups" step of "Add member to group"
Service account signed into this Connection, providing access to Entra
Service account having Groups admin but scoped to a specific Admin Unit.
putting allowed groups into the Admin unit.
Now, the external provider should be able to send a http request to get the JWT, then POST to start the logic app, and be limited to the groups it can edit by virtue of delegated permissions of the service account.
Has anyone done anything similar to this in the past? can anyone see any flaws or weaknesses with this method?