Exact permissions granted
This page is exhaustive by design: everything sprig’s installer touches, so your security review has one canonical source. The installer also has a preview mode (--what-if) that prints its plan without changing anything.
Run-time identity: the platform managed identity
Section titled “Run-time identity: the platform managed identity”| Grant | Scope | Purpose |
|---|---|---|
Contributor (Azure RBAC) |
Each builder resource group only, granted at onboarding | Create/update the builder’s static web apps |
Storage Table Data Contributor |
The platform storage account | Metadata + audit store |
Application.ReadWrite.OwnedBy (Graph app role) |
Tenant, restricted to applications the identity itself created | Per-app Entra registrations, owner assignment, share assignment |
No subscription-scope RBAC. No Application.ReadWrite.All. No directory read of other applications.
Entra objects created at install
Section titled “Entra objects created at install”| Object | Kind | Notes |
|---|---|---|
sprig-platform-api |
App registration | Token audience for the platform API; exposes one delegated scope; defines the Ops app role |
sprig-cli |
App registration (public client) | Device-code sign-in for the builder plugin; pre-authorized for the API scope so builders see no consent prompts |
Per published app, at publish time: one app registration (single-tenant, SPA + web platforms, delegated Fabric scope GraphQLApi.Execute.All and Graph User.Read), one service principal with assignment required, owner assigned. Created and owned by the platform identity.
Azure resources created at install
Section titled “Azure resources created at install”| Resource | Where | Purpose |
|---|---|---|
Resource group rg-sprig-platform |
Subscription | Platform footprint |
| Storage account (+ 4 tables) | Platform RG | Metadata, audit |
| Function App (Linux consumption) + plan | Platform RG | Publish API |
| User-assigned managed identity | Platform RG | The platform identity above |
| App Insights + Log Analytics | Platform RG | Monitoring |
| Subscription budget | Subscription | Spend alerts |
Per builder, at onboarding
Section titled “Per builder, at onboarding”| Action | Detail |
|---|---|
Resource group rg-sprig-user-<alias> |
The builder’s sandbox |
| RBAC assignment | Platform identity → Contributor on that group only |
| Azure Policy assignment | Allowed resource types pinned to Microsoft.Web/staticSites |
| Metadata row | Builder registered in the platform store |
What the person running the installer needs
Section titled “What the person running the installer needs”Once, at install time: Owner on the target subscription and Entra rights to create app registrations and grant admin consent. The installer runs under that person’s az login; it stores no credentials.
What is deliberately absent
Section titled “What is deliberately absent”- No secrets on builder machines (device-code sign-in; tokens cached per-user by MSAL).
- No platform access to data planes (Fabric is reached by viewers’ browsers, not by the platform).
- No outbound calls from the platform to any vendor endpoint — sprig has no telemetry service.