Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 3

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Graph API / Permissions name

Access Granted by Permissions

Used By

AuditLog.Read.All

Read audit log data

App Service Managed Identity

Group.Read.All

Read group data

App Service Managed Identity

GroupMember.ReadWrite.All

Read and write group memberships

App Service Managed Identity

User.Read.All

Read user profile

App Service Managed Identity

Reports.Read.All

Read report data

App Service Managed Identity

Organization.Read.All

Read organization information

App Service Managed Identity

The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:

  • tenantID — Your Tenant ID

  • appServiceObjectID — Object ID of the SCIM App Service

Tip

When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).

...

languagepowershell

...

Assign the App service to the owner role for the Tenant Root Group

  1. In Azure, navigate to Management Groups and select the Tenant Root Group.

  2. Select Access Control (IAM) from the Azure navbar and then click Add role assignment (Preview).

    Image Added

  3. Select Owner and click Next.

  4. For Assign access to select User, group, or service principal.

  5. Click Select members and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.

    Image Added

  6. Click Select.

    Image Added

  7. Review and assign the role assignment.

Assign the App service to the Global Admin role for the tenant

  1. Navigate to Azure Active Directory and select Roles and administrators from the navbar.

  2. Search for and select the Global Administrator role.

  3. Click Add assignments and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.

    Image Added

  4. Click Add.

    Image Added

Insert excerpt
IL:External Stylesheet - Test
IL:External Stylesheet - Test
nopaneltrue
Set Azure REST API Permissions

If you are managing Azure roles in EmpowerID, in addition to setting the above permissions via PowerShell, you need to create a custom role in Azure and add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles.

...