Which permissions are absolutely required for Azure AD?

Which permissions are ABSOLUTELY required for Rancher Azure AD auth to work correctly?

According to the documentation, it needs:

  • Access the directory as the signed-in user
  • Read directory data
  • Read all groups
  • Read all users’ full profiles
  • Read all users’ basic profiles
  • Sign in and read user profile

However my AD team is having a significant conniption over:

  • Read all groups
  • Read all users full profiles

Which permissions does Rancher AD auth absolutely require?


Read all groups is necessary so an operator can assign RBAC to specific AD groups.

As for users full profiles, I’ve asked the engineering team to look into whether basic profiles will suffice, or is there a specific component we need that only comes with access to users’ full profiles.

@thomas.cherryhomes, the link of that discussion is here.