You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Creation of app registrations is not [disabled in Entra ID](https://learn.microsoft.com/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications);
58
+
or
59
+
- The user is member of a privileged Entra ID role e.g. [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer)
60
+
- The user is an owner of the Azure subscription (so role assignment can be performed)
61
+
54
62
#### Managed Identity with Federated Identity Credential and custom RBAC
- Creation of app registrations is not [disabled in Entra ID](https://learn.microsoft.com/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications);
109
+
or
110
+
- The user is member of a privileged Entra ID role e.g. [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer)
111
+
- The user is an owner of the Azure subscription (so role assignment can be performed)
112
+
92
113
#### App registration with short-lived secret and constrained RBAC
- Creation of app registrations is not [disabled in Entra ID](https://learn.microsoft.com/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications);
133
+
or
134
+
- The user is member of a privileged Entra ID role e.g. [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer)
135
+
- The user is an owner of the Azure resource group (so role assignment can be performed)
108
136
109
137
## Terraform Configuration
110
138
@@ -138,7 +166,7 @@ Generated with [terraform-docs](https://terraform-docs.io/).
138
166
| <aname="input_azdo_creates_identity"></a> [azdo_creates_identity](#input_azdo_creates_identity)| Let Azure DevOps create identity for service connection |`bool`|`false`| no |
139
167
| <aname="input_azure_role_assignments"></a> [azure_role_assignments](#input_azure_role_assignments)| Role assignments to create for the service connection's identity. If this is empty, the Contributor role will be assigned on the azurerm provider subscription. |`set(object({scope=string, role=string}))`|`[]`| no |
140
168
| <aname="input_create_federation"></a> [create_federation](#input_create_federation)| Use workload identity federation instead of a App Registration secret |`bool`|`true`| no |
141
-
| <aname="input_create_managed_identity"></a> [create_managed_identity](#input_create_managed_identity)| Creates a Managed Identity instead of a App Registration |`bool`|`true`| no |
169
+
| <aname="input_create_managed_identity"></a> [create_managed_identity](#input_create_managed_identity)| Creates a Managed Identity instead of a App Registration |`bool`|`false`| no |
142
170
| <aname="input_entra_app_notes"></a> [entra_app_notes](#input_entra_app_notes)| Description to put in the Entra ID app registration notes field |`string`|`null`| no |
143
171
| <aname="input_entra_app_owner_object_ids"></a> [entra_app_owner_object_ids](#input_entra_app_owner_object_ids)| Object ids of the users that will be co-owners of the Entra ID app registration |`list(string)`|`null`| no |
144
172
| <aname="input_entra_secret_expiration_days"></a> [entra_secret_expiration_days](#input_entra_secret_expiration_days)| Secret expiration in days |`number`|`90`| no |
0 commit comments