...
Graph API / Permissions name | Access Granted by Permissions | Used By | Purpose |
AuditLog.Read.All | Read audit log data | App Service Managed Identity | Last sign in inventory for users |
Group.Read.All | Read group data | App Service Managed Identity | Read all groups in Azure AD |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity | Read and edit (and / remove) group memberships |
User.Read.All | Read user profile | App Service Managed Identity | Read all users Azure AD |
Reports.Read.All | Read report data | App Service Managed Identity | Read all reports, such as Office 365 Active User Details, etc. |
Organization.Read.All | Read organization information | App Service Managed Identity | Read all subscribed SKUs (license and service plans) |
Code Block | ||
---|---|---|
| ||
############################################################################################################## ###### PowerShell Script to Grant GRAPH API permissions for Azure License Manager Managed Identitity ######### ###### Example below grants full permissions needed for both Azure License Manager and RBAC Manager ########## ###### Edit as desired - required permissions for Azure License Manager "Read Access" shown below ############ Param( $tenantId = "", $appServiceObjectID = "", $PermissionsToAdd= @("Directory.ReadWrite.All", "Directory.AccessAsUser.All", "Reports.Read.All", "User.ReadWrite.All", "Group.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "AuditLog.Read.All" ) ) <# Read Access @("Reports.Read.All", "Group.Read.All", "User.Read.All", "Contacts.Read", "Directory.Read.All", "Directory.Read.All", "Group.ReadWrite.All", "AuditLog.Read.All", "GroupMember.ReadWrite.All", "RoleManagement.Read.Directory", "Organization.Read.All", "OrgContact.Read.All") #> <# Full Access @("Directory.ReadWrite.All", "Directory.AccessAsUser.All", "Reports.Read.All", "User.ReadWrite.All", "Group.ReadWrite.All", "RoleManagement.ReadWrite.Directory", "AuditLog.Read.All" ) #> <# Read Access #> # Install AzureAD module if not installed if (-Not(Get-Module -ListAvailable -Name AzureAD)) { try { Install-Module AzureAD -Force } catch { if ($_.Exception.Message.Contains("Administrator rights")) { Write-Host "You must run the script with administrator rights" } else { Write-Error $_.Exception.Message } } } if (Get-Module -ListAvailable -Name AzureAD) { # Check if connected to the target Azure AD Tenant try { $tenantDetail = Get-AzureADTenantDetail } catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Write-Host "You're not connected."; Connect-AzureAD -TenantId $tenantId; $tenantDetail = Get-AzureADTenantDetail } if ($tenantDetail.ObjectId -ne $tenantId) { Write-Host "You're not connected to the tenant: " $tenantId; Connect-AzureAD -TenantId $tenantId; } # Managed Identity for the SCIM App Service | Found in App Service -> Identity $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'" if ($ManagedIdentitiesServicePrincipal -eq $null) { throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID " } # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000 $GraphAppId = "00000003-0000-0000-c000-000000000000" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" # Permissions foreach ($PermissionToAdd in $PermissionsToAdd) { $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"} if ($AppRole -eq $null) { Write-Error "Invalid Permission `nPermission name: $PermissionToAdd" } else { # Assigns a Graph API service principal to an application role try { New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop } catch { if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) { Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service" } else { Write-Error $_ } } } } } |
...