@@ -129,6 +129,40 @@ Something like:
129129 }
130130```
131131
132+ ### 5. Approve GitHub identity Entra permissions
133+
134+ The created GitHub identity will be setup with permissions in the Azure account
135+ automatically, but it additionally needs permissions at the Microsoft Entra
136+ tenant level which will require elevated permissions to approval for initial
137+ setup of the account.
138+
139+ Specifically a user with "Global Administrator" or "Privileged Role
140+ Administrator" role will need to grant admin consent to the Entra registered
141+ application that the service principal is connected to.
142+
143+ In the Azure Portal or Entra admin center, this user should go to:
144+
145+ <App registration page for app > > Manage > API Permissions
146+
147+ The registration page for the app can be found by searching `<project
148+ name>-<account name >-github-oidc`, but as display names are not unique in Entra,
149+ it's better to search via an ID, like the application/client ID.
150+
151+ There should be a "Grant admin consent for <org name >" button at the top of the
152+ table. The user should click it.
153+
154+ Alternatively, the global admin could use the [ Azure CLI to grant the
155+ permission] ( https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent ) :
156+
157+ ``` bash
158+ az ad app permission admin-consent --id < app id>
159+ ```
160+
161+ Or if developers themselves will have an elevated account, and if all account
162+ runs will be with the elevated permissions uncomment the
163+ ` azuread_app_role_assignment ` block in
164+ ` /infra/modules/auth-github-actions/main.tf ` .
165+
132166## Making changes to the account
133167
134168If you make changes to the account terraform and want to apply those changes,
0 commit comments