You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- To add a Microsoft Entra group as a resource to a catalog:
33
-
- If using delegated permissions, the user requesting to add a group should be an owner of the group or in a directory role that allows them to modify groups.
34
-
- If using application permissions, the application requesting to add the group should also be assigned the `Group.ReadWrite.All` permission.
35
-
- To add a Microsoft Entra application as a resource to a catalog:
36
-
- If using delegated permissions, the user requesting to add an application should be an owner of the application or in a directory role that allows them to modify application role assignments.
37
-
- If using application permissions, the application requesting to add the [servicePrincipal](../resources/serviceprincipal.md) should also be assigned the *Application.ReadWrite.All* permission.
38
-
- To add a SharePoint Online site as a resource to a catalog:
39
-
- If using delegated permissions, the user who wants to add the site should be in a role that allows them to modify the SharePoint site roles, such as the *SharePoint Administrator* role.
40
-
- If using application permissions, the application should also be assigned the `Sites.FullControl.All` permission.
30
+
> [!TIP]
31
+
> In delegated scenarios with work or school accounts, the signed-in user must also be assigned an administrator role with supported role permissions through one of the following options:
32
+
>
33
+
> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate) where the least privileged role is *Catalog owner*. **This is the least privileged option**.
34
+
> - More privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) supported for this operation:
35
+
> - Identity Governance Administrator
36
+
>
37
+
> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Catalog owner* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission.
38
+
>
39
+
> Additionally you must also have the following permissions on the resource being added:
40
+
> - To add a Microsoft Entra group as a resource to a catalog:
41
+
> - If using delegated permissions, the user requesting to add a group should be an owner of the group or in a directory role that allows them to modify groups.
42
+
> - If using application permissions, the application requesting to add the group should also be assigned the `Group.ReadWrite.All` permission.
43
+
> - To add a Microsoft Entra application as a resource to a catalog:
44
+
> - If using delegated permissions, the user requesting to add an application should be an owner of the application or in a directory role that allows them to modify application role assignments.
45
+
> - If using application permissions, the application requesting to add the [servicePrincipal](../resources/serviceprincipal.md) should also be assigned the *Application.ReadWrite.All* permission.
46
+
> - To add a SharePoint Online site as a resource to a catalog:
47
+
> - If using delegated permissions, the user who wants to add the site should be in a role that allows them to modify the SharePoint site roles, such as the *SharePoint Administrator* role.
48
+
> - If using application permissions, the application should also be assigned the `Sites.FullControl.All` permission.
49
+
> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).
0 commit comments