...
Graph API / Permissions name | Access Granted by Permissions | Used By |
AuditLog.Read.All | Read audit log data | App Service Managed Identity |
Group.Read.All | Read group data | App Service Managed Identity |
GroupMember.ReadWrite.All | Read and write group memberships | App Service Managed Identity |
User.Read.All | Read user profile | App Service Managed Identity |
Reports.Read.All | Read report data | App Service Managed Identity |
Organization.Read.All | Read organization information | App Service Managed Identity |
The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:
tenantID — Your Tenant ID
appServiceObjectID — Object ID of the SCIM App Service
Tip |
---|
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level). |
...
language | powershell |
---|
...
Assign the App service to the owner role for the Tenant Root Group
In Azure, navigate to Management Groups and select the Tenant Root Group.
Select Access Control (IAM) from the Azure navbar and then click Add role assignment (Preview).
Select Owner and click Next.
For Assign access to select User, group, or service principal.
Click Select members and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Click Select.
Review and assign the role assignment.
Assign the App service to the Global Admin role for the tenant
Navigate to Azure Active Directory and select Roles and administrators from the navbar.
Search for and select the Global Administrator role.
Click Add assignments and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Click Add.
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
If you are managing Azure roles in EmpowerID, in addition to setting the above permissions via PowerShell, you need to create a custom role in Azure and add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles.
...