Page Comparison

In order for the app service to access the Microsoft Graph API on your behalf, you need to add the needed permissions to the service principal application you registered for the SCIM app service in Azure, as well as assign the app service to the Owner role for the Tenant Root group and grant the app service the Global reader role for the tenant.

...

After you have published the SCIM microservice app to Azure, run the following PowerShell script to assign Graph API permissions to the app service managed identity.

Set Graph API Permissions

Permissions follow the least-privilege principle and include the following

...

:

...

Graph API / Permissions name	Access Granted by Permissions	Used By
AuditLog.Read.All	Read audit log data	App Service Managed Identity
Group.Read.All	Read group data	App Service Managed Identity
GroupMember.ReadWrite.All	Read and write group memberships	App Service Managed Identity
User.Read.All	Read user profile	App Service Managed Identity

...

Sign in and read user profile

...

App Service Managed Identity

Reports.Read.All	Read report data	App Service Managed Identity
Organization.Read.All	Read organization information	App Service Managed Identity

To assign Graph API permissions to the service principal application, do the following:

In your Azure tenant, navigate to Azure Active Directory and select App registrations from the Azure sidebar.
Search for the service principal application you registered for the SCIM app service and click the Display Name link for it.
Image Removed
Navigate to the API permissions page for the application.
Click Add a permission.
Image Removed
Click Microsoft Graph.
Image Removed
Select Application permissions.
Image Removed
Search for AuditLog and then expand the AuditLog permission and select AuditLog.Read.All.
Image Removed
Search for Group.Read.All and then expand the Group permission and select Group.Read.All.
Image Removed
Search for GroupMember.ReadWrite.All and then expand the GroupMember permission and select GroupMember.ReadWrite.All.
Image Removed
Search for User.Read.All and then expand the User permission and select User.Read.All.
Image Removed
Search for Reports.Read.All and then expand the Reports permission and select Reports.Read.All.
Image Removed
Search for Organization.Read.All and then expand the Organization permission and select Organization.Read.All.
Image Removed
Click Add permissions.
You should see the new permissions add to the application.
Image Removed
Click Grand admin consent for <Your Tenant Name>.
Image Removed
Click Yes to confirm admin consent.
Image Removed

Assign the App service to the owner role for the Tenant Root Group

In Azure, navigate to Management Groups and select the Tenant Root Group.
Select Access Control (IAM) from the Azure navbar and then click Add role assignment (Preview).
Image Removed
Select Owner and click Next.
For Assign access to select User, group, or service principal.
Click Select members and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Image Removed
Click Select.
Image Removed
Review and assign the role assignment.

Assign the App service to the Global Reader role for the tenant

Navigate to Azure Active Directory and select Roles and administrators from the navbar.
Search for and select the Global Reader role and go to Description.
Click Add assignments and then search for and select the SCIM app service you created for the Azure AD SCIM microservice.
Image Removed
Click Add.
Image Removed

...

The above permissions have been added to the script's PermissionsToAdd parameter, shown below. In addition to adding the permissions, you need to enter values for these parameters:

tenantID — Your Tenant ID
appServiceObjectID — Object ID of the SCIM App Service

Tip
When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).

Code Block

language	powershell

###############
## GRAPH API ##
###############
Param(
    $tenantId = "",
    $appServiceObjectID = "", 
    $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All", "AuditLog.Read.All")
)

# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
    try {
        Install-Module AzureAD -Force
    }
    catch {
        if ($_.Exception.Message.Contains("Administrator rights")) {
            Write-Host "You must run the script with administrator rights"
            
        }
        else {
            Write-Error $_.Exception.Message
        }
        
    }
}


if (Get-Module -ListAvailable -Name AzureAD) {
    # Check if connected to the target Azure AD Tenant
    try { 
        $tenantDetail = Get-AzureADTenantDetail 
    } 
    catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
    { 
        Write-Host "You're not connected."; 
        Connect-AzureAD -TenantId $tenantId;
        $tenantDetail = Get-AzureADTenantDetail 
    }

    if ($tenantDetail.ObjectId -ne $tenantId) {
        Write-Host "You're not connected to the tenant: " $tenantId; 
        Connect-AzureAD -TenantId $tenantId;
    }


    # Managed Identity for the SCIM App Service | Found in App Service -> Identity 
    $ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
    if ($ManagedIdentitiesServicePrincipal -eq $null) {
        throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
    }

    # Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
    $GraphAppId = "00000003-0000-0000-c000-000000000000"
    $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

    # Permissions
    foreach ($PermissionToAdd in $PermissionsToAdd) {
        $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
        if ($AppRole -eq $null) {
            Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
        }
        else {
            # Assigns a Graph API service principal to an application role
            try {
                New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
            }
            catch {
                if ($_.Exception.ErrorContent.Message.Value.Contains("Permission being assigned already")) {
                    Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
                }
                else {
                    Write-Error $_
                }
            }
        }
    }
}

Insert excerpt
IL:External Stylesheet - Test
IL:External Stylesheet - Test
nopanel true
Set Azure REST API Permissions

If you are managing Azure roles in EmpowerID, in addition to setting the above permissions via PowerShell, you need to create a custom role in Azure and add the below permissions scoped to the appropriate Azure subscription(s) you want to manage in EmpowerID. These permissions allow EmpowerID to call the relevant Azure REST API endpoints needed to manage Azure roles.

Table

...

1: Permissions needed to manage Azure roles in EmpowerID

Azure REST API / Permissions name	Access Granted by Permissions	Used By
Microsoft.ManagedIdentity/userAssignedIdentites/read	Gets an existing user assigned identity	App Service Managed Identity
Microsoft.ManagedIdentity/userAssignedIdentites/write	Create a new user assigned identity or updates the tags associated with an existing user assigned identity	App Service Managed Identity
Microsoft.ManagedIdentity/userAssignedIdentites/delete	Delete an existing user assigned identity	App Service Managed Identity
Microsoft.Authorization/roleAssignments/read	Get information about a role assignment	App Service Managed Identity
Microsoft.Authorization/roleAssignments/write	Create a role assignment at the specified scope	App Service Managed Identity
Microsoft.Authorization/roleAssignments/delete	Delete a role assignment at the specified scope
Microsoft.Authorization/roleDefinitions/read	Get information about a role definition	App Service Managed Identity
Microsoft.Authorization/roleDefinitions/write	Create or update a custom role definition with specified permissions and assignable scopes	App Service Managed Identity
Microsoft.Authorization/roleDefinitions/delete	Delete the specified custom role definition	App Service Managed Identity
Microsoft.Management/managementGroups/read	View management groups	App Service Managed Identity
Microsoft.Resources/subscriptions/resourceGroups/read	Get resource groups	App Service Managed Identity
Microsoft.Resources/subscriptions/resources/read	Gets resources of a subscription	App Service Managed Identity

To set the Azure REST API Permissions for the target subscription, do the following:

In Azure, navigate to the target subscription and select Access control (IAM) from the Azure navbar.
On the Access Control (IAM) page, click Add and select Add custom role.
Image Modified
Under Basics, enter a Custom role name.
Select the Permissions tab and click Add permissions.
Image Modified
Search for Microsoft.ManagedIdentity and click the Microsoft Managed Identity tile.
Image Modified
For Actions, under Microsoft.ManagedIdentity/userAssignedIdentities, select the following:
- Read : Get User Assigned Identity
- Write : Create/Update User Assigned Identity
- Delete : Delete User Assigned Identity
Click Add.
Image Modified
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Authorization.
Click the Microsoft Authorization tile and then add the below permissions:
- Microsoft.Authorization/roleAssignments
  - Read : Get role assignment
  - Write : Create role assignment
  - Delete : Delete role assignment
- Microsoft.Authorization/roleDefinitions
  - Read : Get role definition
  - Write : Create or update custom role definition
  - Delete : Delete custom role definition
Click Add.
Image Modified
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.

...

Authorization.
Click the Microsoft Management tile and select Read : List Groups under Microsoft.Management/managementGroups.
Click Add.
Image Modified
Back on the Create a custom role page, click Add permissions again and then search for Microsoft.Resources.
Click the Microsoft Resources tile and then select the following permissions:
- Microsoft.Resources/subscriptions/resourcegroups
  - Read : Get Resource Group
- Microsoft.Resources/subscriptions/resources
  - Read : Get Subscription Resources
Click Add.
Back on the Create a custom role page, select the Assignable scopes tab and verify the scope.
Image Modified
Click Review + Create.
Review the permissions and then click Create.
Image Modified
Click OK to close the “created custom role” message.
Image Modified

Now that you have created the custom role with the needed permissions, you need to assign the Azure AD SCIM microservice to the role.
On the Access control (IAM) page, click Add > Add role assignment.
Image Modified
In the Add role assignment pane that appears, enter the following:
- Role – Select the custom role you just created
- Assign access to – App Service
- Subscription – Target subscription
- Select – The SCIM app service you created earlier.
Click Save to add the role assignment.
Image Modified
On the Access control (IAM) page, select the Role assignments tab. You should see the SCIM app service you created assigned to the custom role.