Add initial workspace creator as workspace enterprise app owner (#2627)

CHANGELOG.md

@@ -8,6 +8,7 @@
 * Firewall now blocks terraform/hasicorp domains ([#2590](https://github.com/microsoft/AzureTRE/pull/2590)). **Migration** is manual - update the templateVersion of `tre-shared-service-firewall` resource in Cosmos to `0.5.0`. Check the PR for more details.
 * Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654))
 * Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655))
+* Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`.
 
 FEATURES:
 

devops/scripts/create_aad_assets.sh

@@ -26,7 +26,7 @@ fi
 
 APPLICATION_PERMISSION="Application.ReadWrite.OwnedBy"
 if [ "${AUTO_WORKSPACE_APP_REGISTRATION:-}" == true ]; then
-  APPLICATION_PERMISSION="Application.ReadWrite.All"
+  APPLICATION_PERMISSION="Application.ReadWrite.All,Directory.Read.All"
 fi
 
 if [ "${AUTO_WORKSPACE_GROUP_CREATION:-}" == true ]; then

docs/tre-admins/auth.md

@@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable
 |TRE_ID|This is used to build up the name of the identities|
 |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.|
 | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.
-|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).
-|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Directory.Read.All` and `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).
+|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).
+|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).
 
 ## Create Authentication assets
 You can build all of the Identity assets by running the following at the command line

docs/tre-admins/identities/application_admin.md

@@ -10,8 +10,8 @@ This application does not have any roles defined.
 | Name | Type* | Admin consent required |  TRE usage |
 | --- | -- | -----| --------- |
 | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. |
-| Application.ReadWrite.All | Application | Yes | If the AAD Administrator has delegated AAD administrative operations to the TRE, then this user should be granted `Application.ReadWrite.All`. This will allow the user to create workspace applications and administer any applications in the tenant. There will be no need for the Tenant Admin to oversee the Tenant. |
-| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is requried if Azure AD groups are to be created automatically by the TRE. |
+| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. |
+| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. |
 | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. |
 
 '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details.

templates/core/.env.sample

@@ -9,12 +9,12 @@ AAD_TENANT_ID=__CHANGE_ME__
 # Auth configuration
 ####################################
 # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will create an identity with `Application.ReadWrite.OwnedBy`.
-# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All`.
+# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All` and `Directory.Read.All`.
 # When this is true, create Workspaces will also create an AAD Application automatically.
 # When this is false, the AAD Application will need creating manually.
 AUTO_WORKSPACE_APP_REGISTRATION=true
 
-# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with  `Directory.Read.All` and `Group.ReadWrite.All`
+# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
 AUTO_WORKSPACE_GROUP_CREATION=false
 
 # If your local machine/build agent cannot get the public IP

templates/core/version.txt

@@ -1 +1 @@
-__version__ = "0.4.27"
+__version__ = "0.4.28"

templates/workspaces/base/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-workspace-base
-version: 0.3.31
+version: 0.3.32
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspaces/base/terraform/aad/aad.tf

@@ -94,7 +94,7 @@ resource "azuread_application" "workspace" {
 resource "azuread_service_principal" "workspace" {
   application_id               = azuread_application.workspace.application_id
   app_role_assignment_required = false
-  owners                       = [data.azuread_client_config.current.object_id]
+  owners                       = [data.azuread_client_config.current.object_id, var.workspace_owner_object_id]
 
   feature_tags {
     enterprise = true